From 138b46a42375ec64fa7e1855f1c8534144134c8d Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 5 Oct 2023 12:16:53 -0400 Subject: [PATCH] removing lmd rules and fixing version lock history (#3159) (cherry picked from commit 57c05f0444bbed0f1c9291bf51ea19b082b59edd) --- detection_rules/etc/version.lock.json | 93 +------------------ ...vement_malicious_remote_file_creation.toml | 45 --------- ...ovement_ml_high_mean_rdp_process_args.toml | 45 --------- ...ent_ml_high_mean_rdp_session_duration.toml | 45 --------- ...ral_movement_ml_high_remote_file_size.toml | 46 --------- ...ml_high_variance_rdp_session_duration.toml | 45 --------- ...ovement_ml_rare_remote_file_directory.toml | 45 --------- ...ovement_ml_rare_remote_file_extension.toml | 44 --------- ...spike_in_connections_from_a_source_ip.toml | 45 --------- ...ke_in_connections_to_a_destination_ip.toml | 45 --------- ...al_movement_ml_spike_in_rdp_processes.toml | 44 --------- ...ent_ml_spike_in_remote_file_transfers.toml | 46 --------- ...nt_ml_unusual_time_for_an_rdp_session.toml | 45 --------- ..._file_creation_in_sensitive_directory.toml | 57 ------------ 14 files changed, 1 insertion(+), 689 deletions(-) delete mode 100644 rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml delete mode 100644 rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml delete mode 100644 rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 294abbc35..4c3f0d389 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,7 +2,7 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", "type": "query", "version": 105 }, @@ -169,13 +169,6 @@ "type": "eql", "version": 4 }, - "0678bc9c-b71a-433b-87e6-2f664b6b3131": { - "min_stack_version": "8.5", - "rule_name": "Unusual Remote File Size", - "sha256": "4474648fdc8f0b955f03bda5337ba2f2645db4f902f82c9b5f399502684d327d", - "type": "machine_learning", - "version": 1 - }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", @@ -813,13 +806,6 @@ "type": "eql", "version": 100 }, - "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { - "min_stack_version": "8.5", - "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "eea67da7d863bb4da8802088e97d3e0f188941c8484338c6e17099c6f9c88450", - "type": "machine_learning", - "version": 1 - }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -834,13 +820,6 @@ "type": "machine_learning", "version": 106 }, - "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { - "min_stack_version": "8.5", - "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "c2a98c086c35d0e6339615bc26c449c6e6e2a3cb850572c19b445f22fd02d3bc", - "type": "machine_learning", - "version": 1 - }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", "rule_name": "Suspicious Network Tool Launched Inside A Container", @@ -1141,13 +1120,6 @@ "type": "eql", "version": 105 }, - "2377946d-0f01-4957-8812-6878985f515d": { - "min_stack_version": "8.5", - "rule_name": "Remote File Creation on a Sensitive Directory", - "sha256": "6c62d2b1221abd06ad64acfcf05620adc52bc244fa55a8eccf63b284d974ab08", - "type": "eql", - "version": 1 - }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", @@ -1475,13 +1447,6 @@ "type": "eql", "version": 106 }, - "301571f3-b316-4969-8dd0-7917410030d3": { - "min_stack_version": "8.5", - "rule_name": "Malicious Remote File Creation", - "sha256": "a77b63c0cec99d37a8e4a3609137a34580f0cca84198c663fb6adcb5efb462bf", - "type": "eql", - "version": 1 - }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", @@ -1642,13 +1607,6 @@ "type": "eql", "version": 104 }, - "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { - "min_stack_version": "8.5", - "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "5e13a7be5f8a00aa914acf030478774a709c75e65e739272b194674bebf33f1d", - "type": "machine_learning", - "version": 1 - }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", @@ -1822,13 +1780,6 @@ "type": "query", "version": 106 }, - "3e0561b5-3fac-4461-84cc-19163b9aaa61": { - "min_stack_version": "8.5", - "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "65fe46f9242a840f6c97a70fa3782f5c6b4b016bf458fecb8460e3ca8e3e17f3", - "type": "machine_learning", - "version": 1 - }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Windows Subsystem for Linux", @@ -1901,13 +1852,6 @@ "type": "eql", "version": 2 }, - "3f4e2dba-828a-452a-af35-fe29c5e78969": { - "min_stack_version": "8.5", - "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "616e8eb4fc391b32d81e6e8219a3c053453306a6048116d1e837b55ec439363f", - "type": "machine_learning", - "version": 1 - }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", @@ -3670,13 +3614,6 @@ "type": "query", "version": 101 }, - "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { - "min_stack_version": "8.5", - "rule_name": "Unusual Remote File Extension", - "sha256": "6e54a46cf82894aa5484fcd4379b15fedf0c9cb10afb88344a3035f32f6a5727", - "type": "machine_learning", - "version": 1 - }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", @@ -4759,13 +4696,6 @@ "type": "eql", "version": 104 }, - "a74c60cb-70ee-4629-a127-608ead14ebf1": { - "min_stack_version": "8.5", - "rule_name": "High Mean of RDP Session Duration", - "sha256": "261e95ec78136218300b4b17a48e642b472f7a6cd692487fb36e3a707b6ce56a", - "type": "machine_learning", - "version": 1 - }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", @@ -4794,13 +4724,6 @@ "type": "eql", "version": 1 }, - "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { - "min_stack_version": "8.5", - "rule_name": "High Variance in RDP Session Duration", - "sha256": "7b577644248850837c58cfb8850fdce3df772501393676bb090118f5ca4c3f22", - "type": "machine_learning", - "version": 1 - }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", @@ -5441,13 +5364,6 @@ "type": "eql", "version": 105 }, - "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { - "min_stack_version": "8.5", - "rule_name": "Unusual Remote File Directory", - "sha256": "031fe3c29bbf87093165028e79236de7553cdf3f3f10ab76a86289f3e6dfa1f6", - "type": "machine_learning", - "version": 1 - }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -6776,13 +6692,6 @@ "type": "eql", "version": 104 }, - "e9b0902b-c515-413b-b80b-a8dcebc81a66": { - "min_stack_version": "8.5", - "rule_name": "Spike in Remote File Transfers", - "sha256": "0f4119237d356fe2c032c074c5de136fb71aec5533ecac64a6152b49c3b3f92a", - "type": "machine_learning", - "version": 1 - }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", diff --git a/rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml b/rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml deleted file mode 100644 index 4b1f99bef..000000000 --- a/rules/integrations/lmd/lateral_movement_malicious_remote_file_creation.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd","endpoint"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -author = ["Elastic"] -description = "Malicious remote file creation, which can be an indicator of lateral movement activity." -from = "now-10m" -index = ["logs-endpoint.events.*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Malicious Remote File Creation" -references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] -risk_score = 99 -rule_id = "301571f3-b316-4969-8dd0-7917410030d3" -severity = "critical" -tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] -type = "eql" - -query = ''' -sequence by host.name -[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] -[file where event.category == "malware" or event.category == "intrusion_detection" -and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml deleted file mode 100644 index 233c5b43a..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected unusually high number of process arguments in an RDP session. Executing -sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, -redirection and piping, which in turn increases the number of arguments in a command. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_mean_rdp_process_args" -name = "High Mean of Process Arguments in an RDP Session" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml deleted file mode 100644 index d7ebe48a3..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/12" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade -detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might -require uninterrupted access to a compromised machine. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_mean_rdp_session_duration" -name = "High Mean of RDP Session Duration" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml deleted file mode 100644 index 3323a6915..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ /dev/null @@ -1,46 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral -movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate -valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data -into a single large file transfer. -""" -from = "now-90m" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" -name = "Unusual Remote File Size" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml deleted file mode 100644 index eff288b76..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to -evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that -might require uninterrupted access to a compromised machine. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_var_rdp_session_duration" -name = "High Variance in RDP Session Duration" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml deleted file mode 100644 index 218797237..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/12" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral -movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so -attackers might use less common directories to bypass monitoring. -""" -from = "now-90m" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_rare_file_path_remote_transfer" -name = "Unusual Remote File Directory" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml deleted file mode 100644 index 437aaf652..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ /dev/null @@ -1,44 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential -lateral movement activity on the host. -""" -from = "now-90m" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" -name = "Unusual Remote File Extension" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml deleted file mode 100644 index 5b38eff6a..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source -IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of -valuable assets, data, or further access points. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" -name = "Spike in Number of Connections Made from a Source IP" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml deleted file mode 100644 index c32204374..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination -IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets -detected and blocked. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" -name = "Spike in Number of Connections Made to a Destination IP" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml deleted file mode 100644 index cb834fb68..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ /dev/null @@ -1,44 +0,0 @@ -[metadata] -creation_date = "2023/09/12" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a -large number of processes remotely on other machines can be an indicator of lateral movement activity. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" -name = "Spike in Number of Processes in an RDP Session" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml deleted file mode 100644 index ed4402ce0..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ /dev/null @@ -1,46 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral -movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate -valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, -to evade detection. -""" -from = "now-90m" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_high_count_remote_file_transfer" -name = "Spike in Remote File Transfers" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml deleted file mode 100644 index 7d1867075..000000000 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ /dev/null @@ -1,45 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -anomaly_threshold = 70 -author = ["Elastic"] -description = """ -A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual -time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger -attack. -""" -from = "now-12h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" -name = "Unusual Time or Day for an RDP Session" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" -severity = "low" -tags = [ - "Use Case: Lateral Movement Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Lateral Movement", -] -type = "machine_learning" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml b/rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml deleted file mode 100644 index 11f92beec..000000000 --- a/rules/integrations/lmd/lateral_movement_remote_file_creation_in_sensitive_directory.toml +++ /dev/null @@ -1,57 +0,0 @@ -[metadata] -creation_date = "2023/09/13" -integration = ["lmd","endpoint"] -maturity = "production" -min_stack_comments = "LMD first package ga available in 8.5.0" -min_stack_version = "8.5.0" -updated_date = "2023/09/27" - -[rule] -author = ["Elastic"] -description = """ -Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these -directories could indicate a malicious binary or script trying to compromise the system. -""" -from = "now-10m" -index = ["logs-endpoint.events.*"] -interval = "5m" -language = "eql" -license = "Elastic License v2" -name = "Remote File Creation on a Sensitive Directory" -references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] -risk_score = 47 -rule_id = "2377946d-0f01-4957-8812-6878985f515d" -severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where (event.action == "creation" or event.action == "modification") and -process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not -user.name:("SYSTEM", "root") and -(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*", - "C*\\Windows\\*", "C*\\Windows\\System\\*", - "C*\\Windows\\System32\\*", "/etc/*", "/tmp*", - "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", - "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", - "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", - "/lib/systemd/*" - ) -) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1210" -name = "Exploitation of Remote Services" -reference = "https://attack.mitre.org/techniques/T1210/" - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" -