From 0d3c35886cdfe5d64f4538a790b49f8ead015ad1 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 28 Oct 2020 21:35:34 +0100 Subject: [PATCH] Remove connection type from endpoint network rules (#426) --- ...ment_telnet_network_activity_external.toml | 14 ++++---- ...ment_telnet_network_activity_internal.toml | 16 ++++----- .../linux_netcat_network_connection.toml | 15 ++++---- ...d_control_certutil_network_connection.toml | 12 ++++--- .../defense_evasion_installutil_beacon.toml | 4 +-- ...isc_lolbin_connecting_to_the_internet.toml | 16 +++++---- .../windows/defense_evasion_msxsl_beacon.toml | 4 +-- ...etwork_connection_from_windows_binary.toml | 4 +-- rules/windows/defense_evasion_reg_beacon.toml | 4 +-- ...defense_evasion_rundll32_no_arguments.toml | 6 ++-- .../defense_evasion_rundll32_sequence.toml | 4 +-- ...and_prompt_connecting_to_the_internet.toml | 13 +++---- ...le_program_connecting_to_the_internet.toml | 13 +++---- ...on_msbuild_making_network_connections.toml | 13 +++---- ...tion_mshta_making_network_connections.toml | 10 +++--- rules/windows/execution_msxsl_network.toml | 13 +++---- ...ution_psexec_lateral_movement_command.toml | 10 +++--- ...er_program_connecting_to_the_internet.toml | 16 +++++---- ...usual_network_connection_via_rundll32.toml | 13 +++---- ...on_unusual_process_network_connection.toml | 35 +++++++++++++++---- .../windows/execution_wpad_exploitation.toml | 2 +- .../windows/lateral_movement_cmd_service.toml | 4 +-- ...vement_direct_outbound_smb_connection.toml | 14 ++++---- 23 files changed, 149 insertions(+), 106 deletions(-) diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 07555af14..e4b25c254 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Connection to External Network via Telnet" risk_score = 47 @@ -28,12 +28,13 @@ rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:(connection or start) and - process.name:telnet and - not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") +sequence by process.entity_id + [process where process.name == "telnet" and event.type == "start"] + [network where process.name == "telnet" and + destination.ip not in ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "FE80::/10", "::1/128")] ''' @@ -49,4 +50,3 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 02176f19f..2c2b5848c 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Connection to Internal Network via Telnet" risk_score = 47 @@ -28,13 +28,14 @@ rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:(connection or start) and - process.name:telnet and - destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10") and - not (127.0.0.0/8 or "::1/128")) +sequence by process.entity_id + [process where process.name == "telnet" and event.type == "start"] + [network where process.name == "telnet" and + destination.ip in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "FE80::/10") and + destination.ip not in ("127.0.0.0/8", "::1/128")] ''' @@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 7d9c09ace..0b4b3e26b 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Netcat Network Activity" references = [ @@ -33,10 +33,13 @@ rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:(access or connection or start) and - process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) +sequence by process.entity_id + [process where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional") and + event.type == "start"] + [network where (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional")] ''' - diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 89a11c063..d6bffe368 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ malware, from a remote URL. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via Certutil" risk_score = 21 @@ -20,11 +20,13 @@ rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and process.name:certutil.exe and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where process.name : "certutil.exe" and event.type == "start"] + [network where process.name : "certutil.exe" and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 6b8aa5a83..226bf131c 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ query = ''' sequence by process.entity_id [process where event.type in ("start", "process_started") and process.name : "installutil.exe"] - [network where event.type == "connection" and process.name : "installutil.exe" and network.direction == "outgoing"] + [network where process.name : "installutil.exe" and network.direction == "outgoing"] ''' diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 03ee94896..343418971 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ application allowlists and signature validation. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via Signed Binary" risk_score = 21 @@ -21,12 +21,16 @@ rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where (process.name : "expand.exe" or process.name : "extrac.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + event.type == "start"] + [network where (process.name : "expand.exe" or process.name : "extrac.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 5ac0481af..bb9682b6d 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ type = "eql" query = ''' sequence by process.entity_id [process where event.type in ("start", "process_started") and process.name : "msxsl.exe"] - [network where event.type == "connection" and process.name : "msxsl.exe" and network.direction == "outgoing"] + [network where process.name : "msxsl.exe" and network.direction == "outgoing"] ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index c407f81de..9b7dedfc7 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ sequence by process.entity_id with maxspan=5m process.name : "rcsi.exe" or process.name : "regsvr32.exe" or process.name : "xwizard.exe")] - [network where event.type == "connection" and + [network where (process.name : "bginfo.exe" or process.name : "cdb.exe" or process.name : "control.exe" or diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index 728e3e807..9954bb80b 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ query = ''' sequence by process.entity_id [process where event.type in ("start", "process_started") and (process.name : "RegAsm.exe" or process.name : "regsvcs.exe" or process.name : "regsvr32.exe")] - [network where event.type == "connection" and + [network where (process.name : "RegAsm.exe" or process.name : "regsvcs.exe" or process.name : "regsvr32.exe")] until [process where event.type == "end" and diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 41920da0e..d6a48e600 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -29,9 +29,7 @@ sequence with maxspan=1h (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and process.args_count < 2 ] by process.entity_id - [process where event.type in ("start", "process_started") and - /* uncomment once in winlogbeat */ - (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) + [process where event.type in ("start", "process_started") and process.parent.name : "rundll32.exe" ] by process.parent.entity_id ''' diff --git a/rules/windows/defense_evasion_rundll32_sequence.toml b/rules/windows/defense_evasion_rundll32_sequence.toml index c9858a9c4..0334dfda0 100644 --- a/rules/windows/defense_evasion_rundll32_sequence.toml +++ b/rules/windows/defense_evasion_rundll32_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ sequence by process.entity_id with maxspan=2h /* uncomment once in winlogbeat */ (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ ) and process.args_count < 2] - [network where event.type == "connection" and + [network where /* uncomment once in winlogbeat */ (process.name : "rundll32.exe" /* or process.pe.original_file_name == "RUNDLL32.EXE" */ )] ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index ed777d393..9cfd43f3d 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Command Prompt Network Connection" risk_score = 21 @@ -26,12 +26,13 @@ rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:cmd.exe and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where process.name : "cmd.exe" and event.type == "start"] + [network where process.name : "cmd.exe" and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 4e94869f3..43a1a488d 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ program (hh.exe). """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via Compiled HTML File" risk_score = 21 @@ -21,12 +21,13 @@ rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:hh.exe and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where process.name : "hh.exe" and event.type == "start"] + [network where process.name : "hh.exe" and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 1281cc371..97c5c588e 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ leveraged by adversaries to execute code and evade detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "MsBuild Making Network Connections" risk_score = 47 @@ -20,12 +20,13 @@ rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:MSBuild.exe and - not destination.ip:(127.0.0.1 or "::1") +sequence by process.entity_id + [process where process.name : "MSBuild.exe" and event.type == "start"] + [network where process.name : "MSBuild.exe" and + destination.ip not in ("127.0.0.1", "::1")] ''' diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index d4b5b17fc..da4a639d9 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via Mshta" references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"] @@ -21,10 +21,12 @@ rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and process.name:mshta.exe +sequence by process.entity_id + [process where process.name : "mshta.exe" and event.type == "start"] + [network where process.name : "mshta.exe"] ''' diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index f485049a1..b6b13e89d 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ by adversaries to execute malicious scripts and evade detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via MsXsl" risk_score = 21 @@ -20,12 +20,13 @@ rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:msxsl.exe and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where process.name : "msxsl.exe" and event.type == "start"] + [network where process.name : "msxsl.exe" and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 89b08cbd0..fc0b62ca6 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "PsExec Network Connection" risk_score = 21 @@ -26,10 +26,12 @@ rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and process.name:PsExec.exe +sequence by process.entity_id + [process where process.name : "PsExec.exe" and event.type == "start"] + [network where process.name : "PsExec.exe"] ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 147df8bcb..abd455979 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ ] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Network Connection via Registration Utility" risk_score = 21 @@ -26,12 +26,16 @@ rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe or RegSvcs.exe) and - not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) +sequence by process.entity_id + [process where (process.name : "regsvr32.exe" or process.name : "regsvr64.exe" or + process.name : "RegAsm.exe" or process.name : "RegSvcs.exe") and + event.type == "start"] + [network where (process.name : "regsvr32.exe" or process.name : "regsvr64.exe" or + process.name : "RegAsm.exe" or process.name : "RegSvcs.exe") and + destination.ip not in ("10.0.0.0/8", "169.254.169.254", "172.16.0.0/12", "192.168.0.0/16")] ''' diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index 7e8bac2df..4a59eef35 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ and may identify malicious DLLs. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Unusual Network Connection via RunDLL32" risk_score = 21 @@ -20,12 +20,13 @@ rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:rundll32.exe and - not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8) +sequence by process.entity_id + [process where process.name : "rundll32.exe" and event.type == "start"] + [network where process.name : "rundll32.exe" and + destination.ip not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")] ''' diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index bc91ea3d1..c59803c7e 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ applications are often leveraged by adversaries to execute code and evade detect """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Unusual Process Network Connection" risk_score = 21 @@ -20,12 +20,35 @@ rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or - fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) +sequence by process.entity_id + [process where (process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "xwizard.exe") and + event.type == "start"] + [network where (process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "xwizard.exe")] ''' diff --git a/rules/windows/execution_wpad_exploitation.toml b/rules/windows/execution_wpad_exploitation.toml index 18c7b28ee..81514045d 100644 --- a/rules/windows/execution_wpad_exploitation.toml +++ b/rules/windows/execution_wpad_exploitation.toml @@ -31,7 +31,7 @@ sequence with maxspan=5s user.domain == "NT AUTHORITY" and user.name == "LOCAL SERVICE"] by process.entity_id [network where network.protocol == "dns" and process.name : "svchost.exe" and dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id - [network where event.type == "connection" and process.name : "svchost.exe" + [network where process.name : "svchost.exe" and network.direction == "outgoing" and destination.port == 80] by process.entity_id [library where event.type == "start" and process.name : "svchost.exe" and file.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 50d28f25b..efec0f53d 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ sequence by process.entity_id with maxspan=1m process.args : "config" or process.args : "failure" or process.args : "start")] - [network where event.type == "connection" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] + [network where process.name : "sc.exe" and destination.ip != "127.0.0.1"] ''' diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 7c6eb449a..f3a42a2aa 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/27" +updated_date = "2020/10/28" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ suspicious user-level processes moving laterally. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] -language = "kuery" +language = "eql" license = "Elastic License" name = "Direct Outbound SMB Connection" risk_score = 47 @@ -22,13 +22,13 @@ rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] timeline_id = "91832785-286d-4ebe-b884-1a208d111a70" -type = "query" +type = "eql" query = ''' -event.category:network and event.type:connection and - destination.port:445 and - not process.pid:4 and - not destination.ip:(127.0.0.1 or "::1") +sequence by process.entity_id + [process where event.type == "start" and process.pid != 4] + [network where destination.port == 445 and process.pid != 4 and + destination.ip not in ("127.0.0.1", "::1")] '''