Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detection Rules] Add 7.10 rules #79061

Merged
merged 9 commits into from
Oct 5, 2020
Merged

[Detection Rules] Add 7.10 rules #79061

merged 9 commits into from
Oct 5, 2020

Conversation

brokensound77
Copy link
Contributor

Summary

Add security detection rules from detection-rules

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@brokensound77 brokensound77 added release_note:skip Skip the PR/issue when compiling release notes v7.10.0 Feature:Detection Rules Anything related to Security Solution's Detection Rules labels Oct 1, 2020
@brokensound77 brokensound77 requested a review from a team as a code owner October 1, 2020 07:08
@brokensound77
Copy link
Contributor Author

@elasticmachine merge upstream

@brokensound77 brokensound77 requested review from a team as code owners October 2, 2020 14:58
@spong
Copy link
Member

spong commented Oct 2, 2020

@elasticmachine merge upstream

@spong
Copy link
Member

spong commented Oct 5, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

distributable file count

id before after diff
default 47119 47238 +119

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

spong
spong reviewed Oct 5, 2020
View reviewed changes
...urity_solution/server/lib/detection_engine/rules/prepackaged_rules/escalation_uac_sdclt.json
"language": "eql",
"license": "Elastic License",
"name": "Bypass UAC via Sdclt",
"query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sdclt.exe\" and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.args == \"/kickoffelev\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name == \"sdclt.exe\" and\n process.executable not in (\"C:\\\\Windows\\\\System32\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\System32\\\\control.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n ] by process.parent.entity_id\n",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */ in a follow-up PR.

bm11100
bm11100 approved these changes Oct 5, 2020
View reviewed changes
Copy link

@bm11100 bm11100 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

spong
spong reviewed Oct 5, 2020
View reviewed changes
...tion/server/lib/detection_engine/rules/prepackaged_rules/evasion_suspicious_scrobj_load.json
"language": "eql",
"license": "Elastic License",
"name": "Windows Suspicious Script Object Execution",
"query": "sequence by process.entity_id with maxspan=2m\n [process where event.type in (\"start\", \"process_started\") and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.name not in (\"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and file.name == \"scrobj.dll\"]\n",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */ in a follow-up PR.

spong
spong reviewed Oct 5, 2020
View reviewed changes
...solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json
"Elastic",
"Linux",
"Windows",
"macOS"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this should be capitalized? Seeing four other rules using the capitalized variant but only this rule using macOS.

Suggested change
"macOS"
"MacOS"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch - I will add a unit test to verify this casing and make the change in the follow-on PR

@spong
Copy link
Member

spong commented Oct 5, 2020

Tangential, but discovered an issue with tags (#79566) where if you delete all the rules for a tag that is being filtered the tag will be locked as a selection until the user refreshes/re-visits the page (and so no rules will be displayed).

spong
spong approved these changes Oct 5, 2020
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out and tested locally, LGTM! Hellooooooo EQL rules!! 😀

@brokensound77 brokensound77 merged commit 7c4bdb0 into elastic:master Oct 5, 2020
@spong spong mentioned this pull request Oct 5, 2020
Merged
spong pushed a commit to spong/kibana that referenced this pull request Oct 5, 2020
@brokensound77 @spong
[Detection Rules] Add 7.10 rules (elastic#79061)
e032669 
* [Detection Rules] Add 7.10 rules
* fixes cypress tests
Co-authored-by: Gloria Hornero <snootchie.boochies@gmail.com>
spong added a commit that referenced this pull request Oct 6, 2020
@spong @brokensound77
[Detection Rules] Add 7.10 rules (#79061) (#79588)
08e4c16 
* [Detection Rules] Add 7.10 rules
* fixes cypress tests
Co-authored-by: Gloria Hornero <snootchie.boochies@gmail.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@brokensound77 brokensound77 mentioned this pull request Oct 7, 2020
Merged
@brokensound77 brokensound77 deleted the rules/7.10 branch October 26, 2020 20:22
@brokensound77 brokensound77 mentioned this pull request Oct 26, 2020
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spong spong spong approved these changes

@bm11100 bm11100 bm11100 approved these changes

Assignees
No one assigned
Labels
Feature:Detection Rules Anything related to Security Solution's Detection Rules release_note:skip Skip the PR/issue when compiling release notes v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@brokensound77 @spong @kibanamachine @bm11100 @elasticmachine @MadameSheema