From 1283a21fb74ad7e2e9598bceab45c6578dfaeadd Mon Sep 17 00:00:00 2001 From: Remco Sprooten <99642919+1337-42@users.noreply.github.com> Date: Sun, 9 Jul 2023 09:49:32 +0200 Subject: [PATCH] [New Rules] Potential portscan detected (#2817) * [New Rules] Potential portscan detected * Updated descriptions * Update rules/network/discovery_potential_syn_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_network_sweep_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updating integration manifests and schemas --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...very_potential_network_sweep_detected.toml | 68 ++++++++++++++++++ ...iscovery_potential_port_scan_detected.toml | 69 +++++++++++++++++++ ...very_potential_syn_port_scan_detected.toml | 69 +++++++++++++++++++ 3 files changed, 206 insertions(+) create mode 100644 rules/network/discovery_potential_network_sweep_detected.toml create mode 100644 rules/network/discovery_potential_port_scan_detected.toml create mode 100644 rules/network/discovery_potential_syn_port_scan_detected.toml diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml new file mode 100644 index 000000000..0ea2ed720 --- /dev/null +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -0,0 +1,68 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target +network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and +weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized +access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination hosts on commonly used network services. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Network Sweep Detected" + +risk_score = 47 +rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.ip" +value = 10 diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml new file mode 100644 index 000000000..f90c7fc80 --- /dev/null +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -0,0 +1,69 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. +By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts +from one source host to 20 or more destination ports. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Network Scan Detected" + +risk_score = 47 +rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["destination.ip", "source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.port" +value = 20 diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml new file mode 100644 index 000000000..d95732050 --- /dev/null +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -0,0 +1,69 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a +target network for open ports by sending SYN packets to multiple ports and observing the response. +Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, +allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its +security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic +to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential SYN-Based Network Scan Detected" + +risk_score = 47 +rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port :* and network.packets <= 2 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["destination.ip", "source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.port" +value = 10