diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 123ebf917..5303e11f2 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 33669f653..dc8f49bd6 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 22153ef2a..ba80df95a 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -71,6 +71,7 @@ "process.Ext.effective_parent.name": "keyword", "file.Ext.header_bytes": "keyword", "file.Ext.entropy": "long", + "file.Ext.windows.zone_identifier": "long", "file.size": "long", "file.Ext.original.name": "keyword", "dll.Ext.device.product_id": "keyword", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 64e084555..c18651999 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -190,6 +190,13 @@ "type": "eql", "version": 106 }, + "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.3", + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c", + "type": "eql", + "version": 1 + }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -340,9 +347,9 @@ "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "88e3b7fed59fc79874b0d6375168a21a7623b3a38a74c838ea3c3698190a92d1", + "sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb", "type": "threat_match", - "version": 2 + "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", @@ -637,6 +644,13 @@ "type": "query", "version": 102 }, + "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.3", + "rule_name": "Office Test Registry Persistence", + "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3", + "type": "eql", + "version": 1 + }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -967,6 +981,13 @@ "type": "query", "version": 6 }, + "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Execution on WBEM Path", + "sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966", + "type": "eql", + "version": 1 + }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1036,6 +1057,13 @@ "type": "query", "version": 100 }, + "210d4430-b371-470e-b879-80b7182aa75e": { + "min_stack_version": "8.3", + "rule_name": "Mofcomp Activity", + "sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a", + "type": "eql", + "version": 1 + }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", @@ -1517,6 +1545,13 @@ "type": "eql", "version": 1 }, + "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.3", + "rule_name": "GitHub Repository Deleted", + "sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635", + "type": "eql", + "version": 1 + }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", @@ -1655,6 +1690,13 @@ "type": "query", "version": 103 }, + "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "min_stack_version": "8.3", + "rule_name": "Downloaded Shortcut Files", + "sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d", + "type": "eql", + "version": 1 + }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", @@ -1706,9 +1748,9 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "a9acccb7d18adc13099ab88eb003c037bf57f2defa18fc91c8945299c38cba92", + "sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792", "type": "eql", - "version": 106 + "version": 107 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", @@ -2334,12 +2376,19 @@ "type": "eql", "version": 106 }, + "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.3", + "rule_name": "Binary Content Copy via Cmd.exe", + "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d", + "type": "eql", + "version": 1 + }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "950bfce6a55758ef6c60b1fd13ef84531915c61992e405c7217f3bcb40df0f3f", + "sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede", "type": "eql", - "version": 104 + "version": 105 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", @@ -2586,6 +2635,13 @@ "type": "new_terms", "version": 6 }, + "5c895b4f-9133-4e68-9e23-59902175355c": { + "min_stack_version": "8.6", + "rule_name": "Potential Meterpreter Reverse Shell", + "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5", + "type": "eql", + "version": 1 + }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", @@ -3537,6 +3593,13 @@ "type": "eql", "version": 3 }, + "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Extension", + "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed", + "type": "eql", + "version": 1 + }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", "rule_name": "Unusual City For an AWS Command", @@ -4577,6 +4640,13 @@ "type": "eql", "version": 2 }, + "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "min_stack_version": "8.6", + "rule_name": "Potential Reverse Shell via UDP", + "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f", + "type": "eql", + "version": 1 + }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -4601,9 +4671,9 @@ "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "1867577987b72a8cb67a4b74b89643d3df862354ae3eadfd616c9b51ec1000a0", + "sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234", "type": "threat_match", - "version": 2 + "version": 3 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", @@ -4714,9 +4784,9 @@ "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "b84f93be7b12d9e7b6dc37e4b6f6f68f717bbb33d181321aaa4a2f77ed66a60d", + "sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81", "type": "threat_match", - "version": 3 + "version": 4 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -4889,6 +4959,13 @@ "type": "eql", "version": 105 }, + "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "min_stack_version": "8.3", + "rule_name": "Network Activity Detected via cat", + "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566", + "type": "eql", + "version": 1 + }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", @@ -5091,6 +5168,13 @@ "type": "eql", "version": 104 }, + "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.3", + "rule_name": "Kirbi File Creation", + "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac", + "type": "eql", + "version": 1 + }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -5745,6 +5829,13 @@ "type": "eql", "version": 105 }, + "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "min_stack_version": "8.3", + "rule_name": "Downloaded URL Files", + "sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938", + "type": "eql", + "version": 1 + }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate MFA for an Okta User Account", @@ -5886,6 +5977,13 @@ "type": "eql", "version": 6 }, + "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.3", + "rule_name": "WMI WBEMTEST Utility Execution", + "sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76", + "type": "eql", + "version": 1 + }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", @@ -6492,7 +6590,7 @@ "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 2 + "version": 4 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", @@ -6886,9 +6984,9 @@ "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", - "sha256": "b03b79e60e32f4744d7db406946e56fc43bf99671ae3c7cd9af2dabdb17d171f", + "sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601", "type": "threat_match", - "version": 2 + "version": 3 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", @@ -6938,6 +7036,13 @@ "type": "query", "version": 1 }, + "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.3", + "rule_name": "WMIC Remote Command", + "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9", + "type": "eql", + "version": 1 + }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", @@ -7004,9 +7109,9 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "b1b304251797d95d12cc192562063ef62b6569b453974d77fb9f017320ae1731", + "sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665", "type": "eql", - "version": 107 + "version": 108 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 645fd1b45..33b1f3a77 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ @@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event. +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + #### Possible investigation steps - Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field. diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 9dc5fe673..bc87591b0 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 61873d86b..0544553c9 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 847c5ba85..548dcb99a 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ @@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la This rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc. +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + #### Possible investigation steps - Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field: diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml new file mode 100644 index 000000000..d38ee9496 --- /dev/null +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/08/29" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/30" + +[rule] +author = ["Elastic"] +description = """ +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules +can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in +your repository. Changes to these protected branch settings should be investigated and verified as legitimate +activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed +for future attacks. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Protected Branch Settings Changed" +risk_score = 47 +rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +configuration where event.dataset == "github.audit" + and github.category == "protected_branch" and event.type == "change" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml new file mode 100644 index 000000000..a3193318c --- /dev/null +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2023/08/29" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/29" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a GitHub repository is deleted within your organization. +Repositories are a critical component used within an organization to manage work, +collaborate with others and release products to the public. Any delete action against +a repository should be investigated to determine it's validity. Unauthorized deletion +of organization repositories could cause irreversible loss of intellectual property and +indicate compromise within your organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Repository Deleted" +risk_score = 47 +rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +configuration where event.module == "github" and event.action == "repo.destroy" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml new file mode 100644 index 000000000..39cb4ed43 --- /dev/null +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/09/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/04" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat +is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. +This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools +or files to another host in the network or exfiltrate data while attempting to evade detection in the process. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Network Activity Detected via cat" +risk_score = 47 +rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "cat"] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and + process.name == "cat"] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index fd0b008d3..f5c6bef24 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -51,7 +51,8 @@ process where host.os.type == "windows" and event.type == "start" and "WerFault.exe", "WUDFHost.exe", "unsecapp.exe", - "wlanext.exe" ) + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") ''' diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 1f981bea1..aaed54042 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -102,7 +102,14 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index b7e0207ac..1ba5001ae 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -137,6 +137,11 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" + [rule.threat.tactic] diff --git a/rules_building_block/credential_access_kirbi_file.toml b/rules_building_block/credential_access_kirbi_file.toml new file mode 100644 index 000000000..f8dbf8449 --- /dev/null +++ b/rules_building_block/credential_access_kirbi_file.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running +Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the +attacker to impersonate users using Kerberos tickets. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Kirbi File Creation" +risk_score = 21 +rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml new file mode 100644 index 000000000..d7f1350a8 --- /dev/null +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Binary Content Copy via Cmd.exe" +risk_score = 21 +rule_id = "53dedd83-1be7-430f-8026-363256395c8b" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and ( + (process.args : "type" and process.args : (">", ">>")) or + (process.args : "copy" and process.args : "/b")) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml new file mode 100644 index 000000000..74f784b76 --- /dev/null +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies processes running with unusual extensions that are not typically valid for Windows executables. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Process Extension" +risk_score = 21 +rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "?*" and + not process.name : ("*.exe", "*.com", "*.scr", "*.tmp", "*.dat") and + not process.executable : + ( + "MemCompression", + "Registry", + "vmmem", + "vmmemWSL", + "?:\\Program Files\\Dell\\SupportAssistAgent\\*.p5x", + "?:\\Program Files\\Docker\\Docker\\com.docker.service", + "?:\\Users\\*\\AppData\\Local\\Intel\\AGS\\Libs\\AGSRunner.bin" + ) and + not ( + (process.name : "C9632CF058AE4321B6B0B5EA39B710FE" and process.code_signature.subject_name == "Dell Inc") or + (process.name : "*.upd" and process.code_signature.subject_name == "Bloomberg LP") or + (process.name: "FD552E21-686E-413C-931D-3B82A9D29F3B" and process.code_signature.subject_name: "Adobe Inc.") or + (process.name: "3B91051C-AE82-43C9-BCEF-0309CD2DD9EB" and process.code_signature.subject_name: "McAfee, LLC") + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml new file mode 100644 index 000000000..bf630f783 --- /dev/null +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Process Execution on WBEM Path" +risk_score = 21 +rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : ("?:\\Windows\\System32\\wbem\\*", "?:\\Windows\\SysWow64\\wbem\\*") and + not process.name : ( + "mofcomp.exe", + "scrcons.exe", + "unsecapp.exe", + "wbemtest.exe", + "winmgmt.exe", + "wmiadap.exe", + "wmiapsrv.exe", + "wmic.exe", + "wmiprvse.exe" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules_building_block/execution_downloaded_shortcut_files.toml similarity index 59% rename from rules/windows/execution_downloaded_shortcut_files.toml rename to rules_building_block/execution_downloaded_shortcut_files.toml index 87e2411f5..259534f12 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules_building_block/execution_downloaded_shortcut_files.toml @@ -1,37 +1,34 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -query_schema_validation = false -updated_date = "2023/06/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" [rule] author = ["Elastic"] description = """ Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. + """ -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Downloaded Shortcut Files" risk_score = 21 -rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" +rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' -/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */ - -sequence by process.entity_id with maxspan=2s - /* file.extension added to endpoint fields for 7.10 */ - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk"] - /* not sure yet how the update will capture ADS */ - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk:Zone.Identifier" and - /* non-ECS field - may disqualify conversion */ - file.Ext.windows.zone_identifier > 1] +file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1 ''' diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules_building_block/execution_downloaded_url_file.toml similarity index 60% rename from rules/windows/execution_downloaded_url_file.toml rename to rules_building_block/execution_downloaded_url_file.toml index 603baeac0..71f3ee33e 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules_building_block/execution_downloaded_url_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -query_schema_validation = false -updated_date = "2023/06/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" [rule] author = ["Elastic"] @@ -11,26 +12,23 @@ description = """ Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. """ -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Downloaded URL Files" -risk_score = 47 +risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' -/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */ - -sequence by process.entity_id with maxspan=2s - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" and - not process.name == "explorer.exe"] - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url:Zone.Identifier" and - /* non-ECS field - may disqualify conversion */ - file.Ext.windows.zone_identifier > 1 and not process.name == "explorer.exe"] +file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" + and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe" ''' diff --git a/rules_building_block/execution_mofcomp.toml b/rules_building_block/execution_mofcomp.toml new file mode 100644 index 000000000..7876fc1de --- /dev/null +++ b/rules_building_block/execution_mofcomp.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF +files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or +establish persistence using WMI Event Subscription. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Mofcomp Activity" +risk_score = 21 +rule_id = "210d4430-b371-470e-b879-80b7182aa75e" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "mofcomp.exe" and process.args : "*.mof" and + not user.id : "S-1-5-18" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.003" +name = "Windows Management Instrumentation Event Subscription" +reference = "https://attack.mitre.org/techniques/T1546/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml new file mode 100644 index 000000000..d4771fec3 --- /dev/null +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/08/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/24" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against +local or remote endpoints. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "WMI WBEMTEST Utility Execution" +risk_score = 21 +rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml new file mode 100644 index 000000000..fcdef0622 --- /dev/null +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2023/08/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, +attackers can abuse this built-in utility to achieve lateral movement. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "WMIC Remote Command" +risk_score = 21 +rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "WMIC.exe" and + process.args : "*node:*" and + process.args : ("call", "set", "get") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/persistence_msoffice_startup_registry.toml b/rules_building_block/persistence_msoffice_startup_registry.toml new file mode 100644 index 000000000..456d3ffdf --- /dev/null +++ b/rules_building_block/persistence_msoffice_startup_registry.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/08/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to +specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain +persistence on a compromised host. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Office Test Registry Persistence" +references = [ + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", +] +risk_score = 21 +rule_id = "14dab405-5dd9-450c-8106-72951af2391f" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and + registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1137" +name = "Office Application Startup" +reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.002" +name = "Office Test" +reference = "https://attack.mitre.org/techniques/T1137/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 6e56a91c8..eaf7a86c7 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1177,20 +1177,29 @@ class TestNoteMarkdownPlugins(BaseRuleTest): for rule in self.production_rules.rules: has_transform = rule.contents.get('transform') is not None has_note = rule.contents.data.get('note') is not None + note = rule.contents.data.note - if has_transform and not has_note: - self.fail(f'{self.rule_str(rule)} transformed defined with no note') - elif not has_transform: - continue + if has_transform: + if not has_note: + self.fail(f'{self.rule_str(rule)} transformed defined with no note') + else: + if not has_note: + continue + + note_template = PatchedTemplate(note) + identifiers = [i for i in note_template.get_identifiers() if '_' in i] + + if not has_transform: + if identifiers: + self.fail(f'{self.rule_str(rule)} note contains plugin placeholders with no transform entries') + else: + continue transform = rule.contents.transform transform_counts = {plugin: len(entries) for plugin, entries in transform.to_dict().items()} - note = rule.contents.data.note - self.assertIsNotNone(note) - note_template = PatchedTemplate(note) note_counts = defaultdict(int) - for identifier in note_template.get_identifiers(): + for identifier in identifiers: # "$" is used for other things, so this verifies the pattern of a trailing "_" followed by ints if '_' not in identifier: continue