security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removing lmd rules and fixing version lock history (#3159)

Browse Source 
(cherry picked from commit 57c05f0444)
This commit is contained in:
Terrance DeJesus
2023-10-05 12:16:53 -04:00
committed by github-actions[bot]
parent b6da24629e
commit 138b46a423
14 changed files with 1 additions and 689 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+1 -92
View File
@@ -2,7 +2,7 @@
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"type": "query",
"version": 105
},
@@ -169,13 +169,6 @@
"type": "eql",
"version": 4
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Size",
"sha256": "4474648fdc8f0b955f03bda5337ba2f2645db4f902f82c9b5f399502684d327d",
"type": "machine_learning",
"version": 1
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
@@ -813,13 +806,6 @@
"type": "eql",
"version": 100
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "eea67da7d863bb4da8802088e97d3e0f188941c8484338c6e17099c6f9c88450",
"type": "machine_learning",
"version": 1
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
@@ -834,13 +820,6 @@
"type": "machine_learning",
"version": 106
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "c2a98c086c35d0e6339615bc26c449c6e6e2a3cb850572c19b445f22fd02d3bc",
"type": "machine_learning",
"version": 1
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Network Tool Launched Inside A Container",
@@ -1141,13 +1120,6 @@
"type": "eql",
"version": 105
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.5",
"rule_name": "Remote File Creation on a Sensitive Directory",
"sha256": "6c62d2b1221abd06ad64acfcf05620adc52bc244fa55a8eccf63b284d974ab08",
"type": "eql",
"version": 1
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
@@ -1475,13 +1447,6 @@
"type": "eql",
"version": 106
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.5",
"rule_name": "Malicious Remote File Creation",
"sha256": "a77b63c0cec99d37a8e4a3609137a34580f0cca84198c663fb6adcb5efb462bf",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Creation",
@@ -1642,13 +1607,6 @@
"type": "eql",
"version": 104
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.5",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "5e13a7be5f8a00aa914acf030478774a709c75e65e739272b194674bebf33f1d",
"type": "machine_learning",
"version": 1
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious File Edit",
@@ -1822,13 +1780,6 @@
"type": "query",
"version": 106
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "65fe46f9242a840f6c97a70fa3782f5c6b4b016bf458fecb8460e3ca8e3e17f3",
"type": "machine_learning",
"version": 1
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
@@ -1901,13 +1852,6 @@
"type": "eql",
"version": 2
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.5",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "616e8eb4fc391b32d81e6e8219a3c053453306a6048116d1e837b55ec439363f",
"type": "machine_learning",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
@@ -3670,13 +3614,6 @@
"type": "query",
"version": 101
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Extension",
"sha256": "6e54a46cf82894aa5484fcd4379b15fedf0c9cb10afb88344a3035f32f6a5727",
"type": "machine_learning",
"version": 1
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
@@ -4759,13 +4696,6 @@
"type": "eql",
"version": 104
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.5",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "261e95ec78136218300b4b17a48e642b472f7a6cd692487fb36e3a707b6ce56a",
"type": "machine_learning",
"version": 1
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
@@ -4794,13 +4724,6 @@
"type": "eql",
"version": 1
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.5",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "7b577644248850837c58cfb8850fdce3df772501393676bb090118f5ca4c3f22",
"type": "machine_learning",
"version": 1
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
@@ -5441,13 +5364,6 @@
"type": "eql",
"version": 105
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Directory",
"sha256": "031fe3c29bbf87093165028e79236de7553cdf3f3f10ab76a86289f3e6dfa1f6",
"type": "machine_learning",
"version": 1
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
@@ -6776,13 +6692,6 @@
"type": "eql",
"version": 104
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.5",
"rule_name": "Spike in Remote File Transfers",
"sha256": "0f4119237d356fe2c032c074c5de136fb71aec5533ecac64a6152b49c3b3f92a",
"type": "machine_learning",
"version": 1
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd","endpoint"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
author = ["Elastic"]
description = "Malicious remote file creation, which can be an indicator of lateral movement activity."
from = "now-10m"
index = ["logs-endpoint.events.*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Malicious Remote File Creation"
references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
risk_score = 99
rule_id = "301571f3-b316-4969-8dd0-7917410030d3"
severity = "critical"
tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.name
[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
[file where event.category == "malware" or event.category == "intrusion_detection"
and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high number of process arguments in an RDP session. Executing
sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms,
redirection and piping, which in turn increases the number of arguments in a command.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_mean_rdp_process_args"
name = "High Mean of Process Arguments in an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade
detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might
require uninterrupted access to a compromised machine.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_mean_rdp_session_duration"
name = "High Mean of RDP Session Duration"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml
-46
View File
@@ -1,46 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral
movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data
into a single large file transfer.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_file_size_remote_file_transfer"
name = "Unusual Remote File Size"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to
evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that
might require uninterrupted access to a compromised machine.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_var_rdp_session_duration"
name = "High Variance in RDP Session Duration"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral
movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so
attackers might use less common directories to bypass monitoring.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_rare_file_path_remote_transfer"
name = "Unusual Remote File Directory"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml
-44
View File
@@ -1,44 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential
lateral movement activity on the host.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_rare_file_extension_remote_transfer"
name = "Unusual Remote File Extension"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source
IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of
valuable assets, data, or further access points.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source"
name = "Spike in Number of Connections Made from a Source IP"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination
IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets
detected and blocked.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination"
name = "Spike in Number of Connections Made to a Destination IP"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml
-44
View File
@@ -1,44 +0,0 @@
[metadata]
creation_date = "2023/09/12"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a
large number of processes remotely on other machines can be an indicator of lateral movement activity.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes"
name = "Spike in Number of Processes in an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml
-46
View File
@@ -1,46 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral
movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network,
to evade detection.
"""
from = "now-90m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_high_count_remote_file_transfer"
name = "Spike in Remote File Transfers"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml
-45
View File
@@ -1,45 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
anomaly_threshold = 70
author = ["Elastic"]
description = """
A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual
time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger
attack.
"""
from = "now-12h"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start"
name = "Unusual Time or Day for an RDP Session"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969"
severity = "low"
tags = [
"Use Case: Lateral Movement Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Lateral Movement",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml
-57
View File
@@ -1,57 +0,0 @@
[metadata]
creation_date = "2023/09/13"
integration = ["lmd","endpoint"]
maturity = "production"
min_stack_comments = "LMD first package ga available in 8.5.0"
min_stack_version = "8.5.0"
updated_date = "2023/09/27"
[rule]
author = ["Elastic"]
description = """
Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these
directories could indicate a malicious binary or script trying to compromise the system.
"""
from = "now-10m"
index = ["logs-endpoint.events.*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Remote File Creation on a Sensitive Directory"
references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
risk_score = 47
rule_id = "2377946d-0f01-4957-8812-6878985f515d"
severity = "medium"
tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where (event.action == "creation" or event.action == "modification") and
process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not
user.name:("SYSTEM", "root") and
(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*",
"C*\\Windows\\*", "C*\\Windows\\System\\*",
"C*\\Windows\\System32\\*", "/etc/*", "/tmp*",
"/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
"/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
"/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
"/lib/systemd/*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"