security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package (#3119)

Browse Source 
* Adding Lateral Movement Detection rules

* added tags; adjusted tests; updated manifests and schemas

* added default value to build_integrations_schema

* combined analytic and non-dataset packages for related integrations

* adjusted machine learning definitions

* adjusted machine learning definitions

* removed splat for machine learning list due to 3.8 constraints

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 747ee7d593)
This commit is contained in:
Apoorva Joshi
2023-09-27 11:53:38 -07:00
committed by github-actions[bot]
parent 7cb4c5216d
commit 116a7de890
20 changed files with 636 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd","endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
author = ["Elastic"]
description = "Malicious remote file creation, which can be an indicator of lateral movement activity."
from = "now-10m"
index = ["logs-endpoint.events.*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Malicious Remote File Creation"
references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
risk_score = 99
rule_id = "301571f3-b316-4969-8dd0-7917410030d3"
severity = "critical"
tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.name
[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
[file where event.category == "malware" or event.category == "intrusion_detection"
and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high number of process arguments in an RDP session. Executing
sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms,
redirection and piping, which in turn increases the number of arguments in a command.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_mean_rdp_process_args"
name = "High Mean of Process Arguments in an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade
detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might
require uninterrupted access to a compromised machine.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_mean_rdp_session_duration"
name = "High Mean of RDP Session Duration"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral
movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data
into a single large file transfer.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_file_size_remote_file_transfer"
name = "Unusual Remote File Size"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to
evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that
might require uninterrupted access to a compromised machine.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_var_rdp_session_duration"
name = "High Variance in RDP Session Duration"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral
movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so
attackers might use less common directories to bypass monitoring.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_rare_file_path_remote_transfer"
name = "Unusual Remote File Directory"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml
+44
View File
@@ -0,0 +1,44 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential
lateral movement activity on the host.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_rare_file_extension_remote_transfer"
name = "Unusual Remote File Extension"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source
IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of
valuable assets, data, or further access points.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source"
name = "Spike in Number of Connections Made from a Source IP"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination
IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets
detected and blocked.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination"
name = "Spike in Number of Connections Made to a Destination IP"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml
+44
View File
@@ -0,0 +1,44 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a
large number of processes remotely on other machines can be an indicator of lateral movement activity.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes"
name = "Spike in Number of Processes in an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral
movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network,
to evade detection.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_count_remote_file_transfer"
name = "Spike in Remote File Transfers"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual
time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger
attack.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start"
name = "Unusual Time or Day for an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd","endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/21"
[rule]
author = ["Elastic"]
description = """
Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these
directories could indicate a malicious binary or script trying to compromise the system.
"""
from = "now-10m"
index = ["logs-endpoint.events.*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Remote File Creation on a Sensitive Directory"
references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
risk_score = 47
rule_id = "2377946d-0f01-4957-8812-6878985f515d"
severity = "medium"
tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where (event.action == "creation" or event.action == "modification") and
process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not
user.name:("SYSTEM", "root") and
(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*",
"C*\\Windows\\*", "C*\\Windows\\System\\*",
"C*\\Windows\\System32\\*", "/etc/*", "/tmp*",
"/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
"/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
"/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
"/lib/systemd/*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"