-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Rules] Add 7.10 rules #79061
Conversation
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]distributable file count
History
To update your PR or re-run it, just comment with: |
"language": "eql", | ||
"license": "Elastic License", | ||
"name": "Bypass UAC via Sdclt", | ||
"query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name == \"sdclt.exe\" and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.args == \"/kickoffelev\"\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name == \"sdclt.exe\" and\n process.executable not in (\"C:\\\\Windows\\\\System32\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\System32\\\\control.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\sdclt.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n ] by process.parent.entity_id\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */
in a follow-up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
"language": "eql", | ||
"license": "Elastic License", | ||
"name": "Windows Suspicious Script Object Execution", | ||
"query": "sequence by process.entity_id with maxspan=2m\n [process where event.type in (\"start\", \"process_started\") and\n /* process.code_signature.* fields need to be populated for 7.10 */\n process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true and\n process.name not in (\"cscript.exe\",\n \"iexplore.exe\",\n \"MicrosoftEdge.exe\",\n \"msiexec.exe\",\n \"smartscreen.exe\",\n \"taskhostw.exe\",\n \"w3wp.exe\",\n \"wscript.exe\")]\n [library where event.type == \"start\" and file.name == \"scrobj.dll\"]\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just commenting for posterity that we'll remove /* process.code_signature.* fields need to be populated for 7.10 */ in a follow-up PR.
"Elastic", | ||
"Linux", | ||
"Windows", | ||
"macOS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this should be capitalized? Seeing four other rules using the capitalized variant but only this rule using macOS
.
"macOS" | |
"MacOS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch - I will add a unit test to verify this casing and make the change in the follow-on PR
Tangential, but discovered an issue with tags (#79566) where if you delete all the rules for a tag that is being filtered the tag will be locked as a selection until the user refreshes/re-visits the page (and so no rules will be displayed). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out and tested locally, LGTM! Hellooooooo EQL rules!! 😀
* [Detection Rules] Add 7.10 rules * fixes cypress tests Co-authored-by: Gloria Hornero <snootchie.boochies@gmail.com>
Summary
Add security detection rules from detection-rules
Checklist
Delete any items that are not applicable to this PR.
For maintainers
[ ] This was checked for breaking API changes and was labeled appropriately