diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 2ed1e6bb0..aab5ce6c9 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/rule.py b/detection_rules/rule.py index e1067d80c..4946d928b 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -53,7 +53,7 @@ class RuleMeta(MarshmallowDataclassMixin): # Optional fields comments: Optional[str] - integration: Optional[str] + integration: Optional[Union[str, List[str]]] maturity: Optional[definitions.Maturity] min_stack_version: Optional[definitions.SemVer] min_stack_comments: Optional[str] @@ -958,7 +958,13 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value))) if not datasets: - return + # windows and endpoint integration do not have event.dataset fields in queries + # integration is None to remove duplicate references upstream in Kibana + rule_integrations = self.metadata.get("integration", []) + if rule_integrations: + for integration in rule_integrations: + if integration in ["windows", "endpoint", "apm"]: + packaged_integrations.append({"package": integration, "integration": None}) for value in sorted(datasets): integration = 'Unknown' diff --git a/pyproject.toml b/pyproject.toml index 64a9b18b6..fefd6a9a3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -52,6 +52,11 @@ dev = ["pep8-naming==0.7.0", "PyGithub==1.55", "flake8==3.8.1", "pyflakes==2.2.0 package-data = {"kql" = ["*.g"]} packages = ["detection_rules", "kql", "kibana", "rta"] +[tool.pytest.ini_options] +filterwarnings = [ + "ignore::DeprecationWarning" +] + [build-system] requires = ["setuptools", "wheel", "setuptools_scm"] build-backend = "setuptools.build_meta" diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 4cb1d4041..daae75a04 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 1af9fe468..45f9b179a 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index b580bdcfc..db3ec8ce1 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 27c3f135f..e8169e565 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -14,11 +15,10 @@ standard port a protocol uses to bypass filtering or muddle analysis/parsing of """ false_positives = [ """ - SSH over ports apart from the traditional port 22 is highly uncommon. - This rule alerts the usage of the such uncommon ports by the ssh service. - Tuning is needed to have higher confidence. - If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a - combination whitelisted ports for such legitimate ssh activities. + SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such + uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and + noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such + legitimate ssh activities. """, ] from = "now-9m" @@ -26,9 +26,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port SSH connection" -references = [ - "https://attack.mitre.org/techniques/T1571/" -] +references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 424246a78..64dab70ad 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/21" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 57049b01d..4131da915 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index fc3a47d28..15e1aa0fe 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/05/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index d53dbd7d3..c0acaedfb 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -3,7 +3,8 @@ creation_date = "2022/05/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -14,7 +15,7 @@ may also indicate an issue with the agent itself and should be addressed to ensu stable state. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Elastic Agent Service Terminated" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 5b11cd2e3..2f9a05668 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -11,8 +12,8 @@ description = """ This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can -hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so -that the OS automatically executes the file when it's double-clicked. +hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name +so that the OS automatically executes the file when it's double-clicked. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -35,7 +36,7 @@ type = "eql" query = ''' process where host.os.type:("linux","macos") and - event.type == "start" and + event.type == "start" and (process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""") and not process.name in ("ls", "find", "grep", "xkbcomp") ''' diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 16bbd0cb7..79ae02377 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 49031193b..034ebe858 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/20" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index b2d70bc98..3c2217ab4 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/09/29" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index efb705d17..fe42c3120 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/12" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -25,21 +26,22 @@ query = ''' event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -id = "T1059" [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] +id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -id = "TA0002" - diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 153f7aebd..e47ad6914 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/01/13" +integration = ["endpoint"] maturity = "development" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 500d02433..f8d05df21 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 2da899698..6d45621da 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -63,7 +64,7 @@ references = [ "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", - "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046", ] risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index a192037bc..ef58fbef7 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -1,15 +1,17 @@ [metadata] creation_date = "2021/12/10" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child -processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability. +processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection +vulnerability. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -17,11 +19,11 @@ language = "eql" license = "Elastic License v2" name = "Potential JAVA/JNDI Exploitation Attempt" references = [ -"https://www.lunasec.io/docs/blog/log4j-zero-day/", -"https://github.com/christophetd/log4shell-vulnerable-app", -"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", -"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", -"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046", ] risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" @@ -69,12 +71,15 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index 6792b8864..71a0124fe 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -11,14 +11,10 @@ description = """ This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. """ -false_positives = [ - """ - This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts. - """, -] -max_signals = 1 -interval = "24h" enabled = false +false_positives = [ + "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.", +] from = "now-24h" index = [ "apm-*-transaction*", @@ -29,10 +25,12 @@ index = [ "packetbeat-*", "traces-apm*", "winlogbeat-*", - "-*elastic-cloud-logs-*" + "-*elastic-cloud-logs-*", ] +interval = "24h" language = "kuery" license = "Elastic License v2" +max_signals = 1 name = "My First Rule" note = """ This is a test alert. @@ -55,6 +53,9 @@ query = ''' event.kind:"event" ''' + + [rule.threshold] field = ["host.name"] value = 1 + diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 162a5eb1f..6290ddbc4 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/07" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/10/11" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -103,16 +104,17 @@ any where framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1565" -reference = "https://attack.mitre.org/techniques/T1565/" name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" [[rule.threat.technique.subtechnique]] id = "T1565.001" -reference = "https://attack.mitre.org/techniques/T1565/001/" name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" -reference = "https://attack.mitre.org/tactics/TA0040/" name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 7f6fd6d01..536a6cbf7 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 400716f83..9a5a16c13 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 234ed6bc6..de504b53e 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/22" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 5e4bc2344..846cf07e4 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/26" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index a0d341570..740127d9d 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -80,3 +81,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index cdc057354..074142b51 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/02/03" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 492f3bf90..dc9206d56 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/13" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 888017198..a40d2faba 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/10" -integration = "aws" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 1d296a24d..1f2c709ec 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/16" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -84,7 +84,15 @@ references = [ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] type = "threshold" query = ''' diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 04e02ff49..4cf4d544f 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/04" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -77,7 +77,17 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Credential Access", + "Persistence", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 7a1242432..aa67fc512 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/21" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index c196aa384..6559e36de 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Nick Jones", "Elastic"] @@ -90,7 +90,16 @@ references = [ risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Data Protection", + "Credential Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index c1a41d79d..d55fa0929 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/26" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ description = "Identifies the deletion of an AWS log trail. An adversary may del false_positives = [ """ Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 6919c1224..a7b31d628 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/10" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 05454ee99..d3fae5a27 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/15" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ description = "Identifies the deletion of an AWS CloudWatch alarm. An adversary false_positives = [ """ Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm - deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it - can be exempted from the rule. + deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can + be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 0c25ef2f7..785aea055 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/26" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 06c0bdecf..2e55bcf42 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/16" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 83b3d6bcc..7676fc43e 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/15" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ in an attempt to evade defenses. false_positives = [ """ Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log - deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it - can be exempted from the rule. + deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can + be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 8c248169a..bfb6f428f 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/26" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ ingress/egress entries. false_positives = [ """ Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index aeb3c3cbf..7c04969bd 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -1,19 +1,20 @@ [metadata] creation_date = "2021/07/19" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = "Identifies when an ElastiCache security group has been created." false_positives = [ """ - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, + user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. """, ] from = "now-60m" @@ -25,7 +26,9 @@ name = "AWS ElastiCache Security Group Created" note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"] +references = [ + "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html", +] risk_score = 21 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47" severity = "low" @@ -38,19 +41,22 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 4feea28b9..5bcba1ac0 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -1,20 +1,20 @@ [metadata] creation_date = "2021/07/19" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = "Identifies when an ElastiCache security group has been modified or deleted." false_positives = [ """ - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar - users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the - rule. + A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user + identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by + unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted + from the rule. """, ] from = "now-60m" @@ -47,13 +47,15 @@ framework = "MITRE ATT&CK" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 0fb8a88fe..f19432778 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/28" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ all existing findings are lost. false_positives = [ """ The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or - hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index ab10ce280..be76c7d58 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/27" -integration = "aws" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 4021725f1..c5da05cb3 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa false_positives = [ """ Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 65a937528..a0a940404 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/09" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -58,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 343d36d62..90db1be64 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -50,26 +50,25 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1020/" -name = "Automated Exfiltration" id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0010/" -name = "Exfiltration" id = "TA0010" - - +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1074/" -name = "Data Staged" id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0009/" -name = "Collection" id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 00f7d1428..f02b67f48 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/24" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -90,7 +90,16 @@ references = [ risk_score = 47 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Asset Visibility", + "Exfiltration", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index eb78385c1..62a5721f1 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/04/22" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. +Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or +exfiltrate information. """ false_positives = [ """ @@ -43,24 +44,25 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1537/" id = "T1537" name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0010/" id = "TA0010" name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1005/" id = "T1005" name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0009/" id = "TA0009" name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 03d2a63a9..b935525ce 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -42,7 +42,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Exfiltration" id = "TA0010" +name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index a6d2c03a7..c3349c5ef 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -1,23 +1,23 @@ [metadata] creation_date = "2021/06/29" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to -exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an -unauthorized or unexpected AWS account. +Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order +to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, +verify if the snapshot was shared with an unauthorized or unexpected AWS account. """ false_positives = [ """ Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-aws*"] @@ -43,19 +43,22 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" -id = "T1578" [[rule.threat.technique.subtechnique]] id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" + [rule.threat.tactic] +id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -id = "TA0005" + diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 896202291..aff1f36f7 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/10/17" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -14,9 +14,10 @@ visibility in applications or a break in the flow with other AWS services. """ false_positives = [ """ - EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by + unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. """, ] from = "now-20m" @@ -38,7 +39,6 @@ tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitorin timestamp_override = "event.ingested" type = "query" - query = ''' event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and event.outcome:success @@ -48,14 +48,13 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" -id = "T1489" + [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index f92545245..430f96829 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/10" -integration = "aws" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index de1ad1161..63c03b102 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/18" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 804952765..2934a5837 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/20" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -93,7 +93,16 @@ references = [ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Impact", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 22fbf2e80..aa5cae9c7 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index b514727fb..94683ac80 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2021/08/27" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that -is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to -deleting the File System, or the adversary will be unable to delete the File System. +Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target +that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior +to deleting the File System, or the adversary will be unable to delete the File System. """ false_positives = [ """ @@ -45,6 +45,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 6e4efb48a..ff92f01c9 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/26" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -106,3 +106,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 3d48563df..c90afafca 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ group does not delete resources that are members of the group; it only deletes t false_positives = [ """ A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 10ff682d4..148471dfc 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/21" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/21" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Xavier Pich"] @@ -16,9 +16,9 @@ decrypted, which means that data becomes unrecoverable. """ false_positives = [ """ - A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is - causing false positives, it can be exempted from the rule. + A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the + user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar + users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" @@ -45,12 +45,15 @@ query = ''' event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 9cd434743..a5f04a18f 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index ce6ad602d..da994b2ca 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,22 +1,22 @@ [metadata] creation_date = "2020/05/21" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database -cluster, or database instance. +Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, +or database instance. """ false_positives = [ """ - Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be - investigated. If known behavior is causing false positives, it can be exempted from the rule. + Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" @@ -34,8 +34,7 @@ references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", - "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" - + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html", ] risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index acc28ba1e..f34f288d9 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/20" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 1dca14a27..ebb4c19c6 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/11" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -72,7 +72,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 47 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index b6971a8ef..9b3aef3b2 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/02" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index b67b067a0..5db45844d 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -89,7 +89,16 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm- risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Log Auditing", + "Initial Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 65225f55e..f5c7fc30a 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/13" -integration = "aws" +integration = ["aws"] [rule] anomaly_threshold = 50 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 96f8fa671..73751f649 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/13" -integration = "aws" +integration = ["aws"] [rule] anomaly_threshold = 50 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 2dcf73ce0..642b2600b 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/13" -integration = "aws" +integration = ["aws"] [rule] anomaly_threshold = 50 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 79c920f4c..cb821e52f 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/13" -integration = "aws" +integration = ["aws"] [rule] anomaly_threshold = 50 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index efba6bbd1..ff9fda645 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/13" -integration = "aws" +integration = ["aws"] [rule] anomaly_threshold = 75 diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 51ed2a7bf..bb216830e 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/04" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ ACL with a specified rule number. false_positives = [ """ Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 5182aae26..287781d8e 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -15,9 +15,9 @@ pivot in an AWS environment. """ false_positives = [ """ - A security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + A security group may be created by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-30m" @@ -48,24 +48,24 @@ RevokeSecurityGroupIngress) and event.outcome:success framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Persistence" id = "TA0003" +name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" + - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 98658f842..bc2c7f49e 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 3c8dde9c5..9df7e8bd7 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/20" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ across multiple regions. false_positives = [ """ Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 8000c16a7..88477b635 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -12,8 +12,8 @@ description = "Identifies the creation of an Amazon Relational Database Service false_positives = [ """ An RDS security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index dcc819da6..bdb5db8cb 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 817550e62..a48928693 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/04/12" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ and could introduce security vulnerabilities. false_positives = [ """ Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-60m" @@ -33,8 +33,8 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -timestamp_override = "event.ingested" tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"] +timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 072f305a8..191d170d8 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/10" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index d0a6ae236..83b783afd 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/10" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -43,19 +43,19 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" -reference = "https://attack.mitre.org/techniques/T1098/" name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 7ef1506a3..9bd57f93d 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/19" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -12,8 +12,8 @@ description = "Identifies when a Route53 private hosted zone has been associated false_positives = [ """ A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user - identity, user agent, and/or hostname should be making changes in your environment. If known behavior is - causing false positives, it can be exempted from the rule. + identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing + false positives, it can be exempted from the rule. """, ] from = "now-60m" @@ -43,11 +43,12 @@ event.outcome:success framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" -reference = "https://attack.mitre.org/techniques/T1098/" name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index d175dac1f..a415ababa 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -1,20 +1,20 @@ [metadata] creation_date = "2021/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] description = "Identifies when an AWS Route Table has been created." false_positives = [ """ - Route Tables may be created by a system or network administrators. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or - hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - Automated processes that use Terraform may lead to false positives. + Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated + processes that use Terraform may lead to false positives. """, ] from = "now-60m" @@ -48,6 +48,7 @@ event.outcome:success framework = "MITRE ATT&CK" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0003/" -name = "Persistence" id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 41128fdc6..52ee8af2a 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -1,20 +1,20 @@ [metadata] creation_date = "2021/06/05" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] description = "Identifies when an AWS Route Table has been modified or deleted." false_positives = [ """ - Route Table could be modified or deleted by a system administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Route Table being modified - from unfamiliar users should be investigated. If known behavior is causing false positives, it can be - exempted from the rule. Also automated processes that use Terraform may lead to false positives. + Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also + automated processes that use Terraform may lead to false positives. """, ] from = "now-60m" @@ -47,10 +47,12 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0003/" -name = "Persistence" id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index 78416677b..d05216a60 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -1,21 +1,19 @@ [metadata] creation_date = "2021/09/22" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] -description = """ -Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. -""" +description = "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target." false_positives = [ """ SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" @@ -42,6 +40,7 @@ event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazon UpdateSAMLProvider) and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,6 +53,7 @@ name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 99db503f1..3b18cb497 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -81,7 +81,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index f1a82be81..e023e41df 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/17" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -12,19 +12,15 @@ description = """ Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. """ -false_positives = [ - """ - Automated processes that use Terraform may lead to false positives. - """, -] +false_positives = ["Automated processes that use Terraform may lead to false positives."] index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS Security Token Service (STS) AssumeRole Usage" -references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"] note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"] risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" @@ -37,6 +33,7 @@ event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.acti aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -66,3 +63,4 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 991f7e7f9..b57ea27ac 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/17" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -14,9 +14,9 @@ escalate privileges. """ false_positives = [ """ - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or - hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-aws*"] @@ -26,10 +26,7 @@ name = "AWS STS GetSessionToken Abuse" note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", -] - +references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"] risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" @@ -72,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index fbbd8836f..da2bc84bf 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "aws" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -84,7 +84,15 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in- risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "AWS", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index ffb55f482..75a62dbb0 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" -integration = "azure" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index fb721a6ae..bc417b96d 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -1,11 +1,10 @@ [metadata] creation_date = "2021/08/12" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" - +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -16,9 +15,10 @@ internal traffic. """ false_positives = [ """ - Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar - users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. """, ] from = "now-25m" @@ -32,8 +32,8 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"] risk_score = 47 rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] severity = "medium" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] timestamp_override = "event.ingested" type = "query" @@ -48,16 +48,16 @@ event.outcome:(Success or success) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1040/" -name = "Network Sniffing" id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0006/" -name = "Credential Access" id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index a2d1c4bc3..ecbd1d138 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/31" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re references = [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 47 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 3cc97f76e..e863856d3 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/19" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 03225e9d2..93deee3e5 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 450ac76db..e15492d2e 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/01" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -39,10 +39,12 @@ event.dataset:azure.activitylogs and event.outcome:(Success or success) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0005/" -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 35aa843c5..ca0aece00 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -1,22 +1,22 @@ [metadata] creation_date = "2021/09/22" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure -Blob. An adversary may modify the permissions on a blob to weaken their target's security controls -or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss. +Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An +adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may +inadvertently modify the permissions, which could lead to data exposure or loss. """ false_positives = [ """ - Blob permissions may be modified by system administrators. Verify that the configuration change was - expected. Exceptions can be added to this rule to filter expected behavior. + Blob permissions may be modified by system administrators. Verify that the configuration change was expected. + Exceptions can be added to this rule to filter expected behavior. """, ] index = ["filebeat-*", "logs-azure*"] @@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1222/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index ec9f32538..dfefee018 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index c1d10df75..b011f853d 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -87,7 +87,15 @@ references = [ risk_score = 21 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index e77f6f12f..142e1ff2b 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ volumes of events and data. An adversary may delete an Event Hub in an attempt t false_positives = [ """ Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or - resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index fdac3a5ed..bb9fafdd9 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -15,8 +15,8 @@ defenses and/or to eliminate barriers to their objective. false_positives = [ """ Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, - and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 697745bbc..aef515c47 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -1,22 +1,24 @@ [metadata] creation_date = "2021/08/01" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall -(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective. +Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a +Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their +objective. """ false_positives = [ """ - Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, - hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by - unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify + whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web + Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior + is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" @@ -59,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index cfb6b36fb..3d103759a 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -1,23 +1,23 @@ [metadata] creation_date = "2021/06/24" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. -Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events -in Azure Kubernetes in an attempt to evade detection. +Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in +Azure Kubernetes in an attempt to evade detection. """ false_positives = [ """ Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or - resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts - should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" @@ -61,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 722f5c498..1f58ca3e1 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/31" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ attempt to evade defenses. false_positives = [ """ Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, - and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 6155a4e66..13a18a2c3 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/08/27" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -47,12 +47,14 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 0853719ab..4a7ea87e8 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/20" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index bc66dce79..2d75923fb 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 621673416..992715b4d 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/05" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 54c4bc106..7db31d20f 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/24" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -14,9 +14,9 @@ of the environment. """ false_positives = [ """ - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be - investigated. If known behavior is causing false positives, it can be exempted from the rule. + Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should + be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known + behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-25m" @@ -50,3 +50,4 @@ framework = "MITRE ATT&CK" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 61c0ea073..bc4ef9f63 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index 6aafda577..294e12873 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -1,23 +1,23 @@ [metadata] creation_date = "2020/08/12" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies when a virtual network device is modified or deleted. This can be a network virtual -appliance, virtual hub, or virtual router. +Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, +or virtual router. """ false_positives = [ """ - Virtual Network Device modification or deletion may be performed by a system administrator. Verify - whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known - behavior is causing false positives, it can be exempted from the rule. + Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user + identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device + modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, + it can be exempted from the rule. """, ] from = "now-25m" @@ -50,8 +50,8 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 09a4c24ba..0dbcd3adb 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/01/04" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Willem D'Haese"] @@ -80,7 +80,15 @@ references = [ risk_score = 73 rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 5aadfd55d..6c313d51d 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/10/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -76,11 +76,18 @@ references = [ risk_score = 47 rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" - query = ''' event.dataset:azure.signinlogs and azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success) diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index b3b16fa8a..fcc2e0b4d 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -84,7 +84,15 @@ references = [ risk_score = 21 rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index c0c40f030..406cff8ea 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/01" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -87,7 +87,15 @@ references = [ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index ccb6f215c..944e6112a 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/31" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 6d5432f8b..9a5811e0c 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index ab1b462ec..6d5246515 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index d73b74ca7..e7d727c31 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 44e1b37df..8bd532060 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/01" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 765d376c0..d8e290291 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2022/01/06" -integration = "azure" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator -is a role that enables users to have access to all administrative features in Azure AD and services that use Azure -AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, -and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all +is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD +identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and +Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. """ from = "now-25m" @@ -24,7 +24,7 @@ note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", ] risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" @@ -42,18 +42,19 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1098/" -name = "Account Manipulation" id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1098/003/" - name = "Additional Cloud Roles" - id = "T1098.003" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index a8cde4386..0a5fe2581 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/24" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index eddb6dcbf..6e1e03c9b 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/01" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -79,7 +79,15 @@ references = [ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index 295644a6e..4746bae3b 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/20" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -73,7 +73,15 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 1bc83ba44..8d5a6f01a 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/20" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index a5e487464..1af76d4d1 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/20" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 84ad211f3..e75b4cabc 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2021/10/18" +integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "azure" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects -(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create -bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges -roles. +(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to +create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other +high privileges roles. """ from = "now-20m" index = ["filebeat-*", "logs-azure*"] @@ -40,6 +40,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name: event.outcome:(Success or success) ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -47,3 +48,4 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index d23b692c3..b9f9942fb 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/06/23" +integration = ["cyberarkpas"] maturity = "production" -updated_date = "2022/08/24" -integration = "cyberarkpas" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] -description = """Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The -event.code correlates to the CyberArk Vault Audit Action Code. +description = """ +Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code +correlates to the CyberArk Vault Audit Action Code. """ false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."] from = "now-30m" @@ -44,22 +45,21 @@ event.dataset:cyberarkpas.audit and event.type:error [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0001" -reference = "https://attack.mitre.org/tactics/TA0001/" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index d3a0c3c72..ec6e7c232 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/23" +integration = ["cyberarkpas"] maturity = "production" -updated_date = "2022/08/24" -integration = "cyberarkpas" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,22 +48,21 @@ event.dataset:cyberarkpas.audit and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - - [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0001" -reference = "https://attack.mitre.org/tactics/TA0001/" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 571cd3b06..0d272bf1e 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/08" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "endpoint" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -46,25 +46,25 @@ value = "" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "21" severity = "low" +value = "21" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "47" severity = "medium" +value = "47" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "73" severity = "high" +value = "73" [[rule.severity_mapping]] field = "event.severity" operator = "equals" -value = "99" severity = "critical" +value = "99" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 7fa94db47..c79fe430d 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/23" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 9dc42a54b..17785131c 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/23" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 0371330ef..32e4da35b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 215831662..860231a1b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 01ae45b1e..1b5bf6250 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index f5bbbc966..3a3defd7b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ delete a log bucket to evade detection. false_positives = [ """ Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users - or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-gcp*"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index fe47c6837..5ce048e04 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/18" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index dc967d1fb..10b6fd383 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/23" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index a894b06a9..e683fbfbc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/18" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ application creates and sends messages to a topic. Deleting a topic can interrup false_positives = [ """ Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-gcp*"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index ef5493456..f6530cf2c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index a5596d192..2f38e7640 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index bad67cccc..f5939c2d4 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 111707924..f0e5a5d23 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 49dbccff3..5e9f6b057 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" -integration = "gcp" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 0c170a6f6..f6bdcd3b3 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index ba5c68510..0fba85ab4 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ role to inhibit access to accounts utilized by legitimate users. false_positives = [ """ Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. + and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-gcp*"] diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index b921cf62d..a699a885b 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index e1e8303c2..3c24874ef 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 99a854e27..dd93fbbd5 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 9a85cfc2e..cff7d026b 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 6f1428961..45b332a41 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index fb9f0292f..fdad55353 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/21" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 1f97926ba..fa954486a 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/22" +integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "gcp" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index ddbfe5a23..5a474051a 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/08/24" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 2b164dcd3..d71e24181 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/13" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/19" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 1be1700bb..375fed3cc 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/08/25" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/25" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 412c1d6e7..b1bbc51f4 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,8 +40,15 @@ references = ["https://support.google.com/a/answer/6160020?hl=en"] risk_score = 73 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0" severity = "high" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Configuration Audit", "Defense Evasion"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion", +] timestamp_override = "event.ingested" type = "query" @@ -49,20 +56,22 @@ query = ''' event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 6ee71ec82..9f8984fc3 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/06" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/06" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index 310ea24be..b112fae18 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/08/25" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/25" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index debea77a2..311c6bb8e 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,8 +40,15 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Identity and Access", "Impact"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Impact", +] timestamp_override = "event.ingested" type = "query" @@ -49,6 +56,7 @@ query = ''' event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,3 +69,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 67e0f2259..049705350 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/09/13" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -90,8 +90,16 @@ references = ["https://support.google.com/a/answer/9176657?hl=en#"] risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Configuration Audit", "Impact", "Investigation Guide"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impact", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -101,6 +109,7 @@ event.dataset:google_workspace.admin and event.provider:admin and google_workspace.admin.new_value:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -113,3 +122,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 881064508..1fb52fa6a 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -41,8 +41,15 @@ references = ["https://support.google.com/a/answer/6328701?hl=en#"] risk_score = 47 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Configuration Audit", "Persistence"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -50,9 +57,12 @@ query = ''' event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION ''' + [[rule.threat]] framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index be2ee919c..eb03f62d3 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/08/26" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/26" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 815c21018..2d0a9a4ce 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/25" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 56e081b89..ac316cfae 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/12" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 588ba08ab..847a5780c 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml index d4117a6fa..099f7fd4c 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -39,8 +39,15 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Identity and Access", "Persistence"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -57,6 +64,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -69,3 +77,4 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 68c591d02..8811f1c0b 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml index 24d558994..2cb7812b3 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/08/24" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index d92d23d79..3604ac4ce 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/06" -integration = "google_workspace" +integration = ["google_workspace"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/06" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 45655935a..b5bcde235 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["google_workspace"] maturity = "production" -updated_date = "2022/08/24" -integration = "google_workspace" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -39,8 +39,15 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", -"Identity and Access", "Persistence"] +tags = [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -48,6 +55,7 @@ query = ''' event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 5974b4248..e564b3a6f 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/13" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,9 +40,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "kubernetes.audit_logs" - and kubernetes.audit.user.username: system\:serviceaccount\:* - and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid" +event.dataset: "kubernetes.audit_logs" + and kubernetes.audit.user.username: system\:serviceaccount\:* + and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid" ''' diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index b3cc14648..0645a542e 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/06/30" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -41,11 +41,11 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" +event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") - and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) + and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)) ''' diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 1911c2208..d96fca23f 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/05/17" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,9 +43,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.verb:"create" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.objectRef.subresource:"exec" ''' diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index d5b6fd3f6..7b83def5d 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/13" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -38,8 +38,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*) and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz") ''' diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index cd6643506..f44fd89de 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/05" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -47,10 +47,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.objectRef.resource:"services" - and kubernetes.audit.verb:("create" or "update" or "patch") +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"services" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.type:"NodePort" ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 31a749e2a..4082158ea 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/20" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -32,19 +32,19 @@ note = """## Triage and analysis Linux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques: -BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. -DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks. -NET_ADMIN - Perform various network-related operations. -SYS_ADMIN - Perform a range of system administration operations. -SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. -SYS_MODULE - Load and unload kernel modules. +BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. +DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks. +NET_ADMIN - Perform various network-related operations. +SYS_ADMIN - Perform a range of system administration operations. +SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. +SYS_MODULE - Load and unload kernel modules. SYS_PTRACE - Trace arbitrary processes using ptrace(2). -SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)). +SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)). SYSLOG - Perform privileged syslog(2) operations. ### False positive analysis -- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image. +- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image. ## Setup @@ -63,11 +63,11 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: kubernetes.audit_logs +event.dataset: kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.verb: create - and kubernetes.audit.objectRef.resource: pods - and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or "SYSLOG") + and kubernetes.audit.verb: create + and kubernetes.audit.objectRef.resource: pods + and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH" or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO" or "SYSLOG") and not kubernetes.audit.requestObject.spec.containers.image : ("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-lb:v0.3.5" or "") ''' @@ -84,7 +84,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -97,3 +96,4 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index c41668b46..99e42c477 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/05" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,10 +44,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostIPC:true and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' @@ -65,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index a526892d3..e9413d90d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/05" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,10 +43,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostNetwork:true and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' @@ -64,7 +64,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 2f45aadcf..568d9d558 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/05" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,10 +44,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" + and kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.hostPID:true and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' @@ -65,7 +65,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index 1c4bc3e71..b61e9294f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/11" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,25 +43,25 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" +event.dataset : "kubernetes.audit_logs" + and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.volumes.hostPath.path: - ("/" or - "/proc" or - "/root" or - "/var" or - "/var/run" or - "/var/run/docker.sock" or - "/var/run/crio/crio.sock" or - "/var/run/cri-dockerd.sock" or - "/var/lib/kubelet" or - "/var/lib/kubelet/pki" or - "/var/lib/docker/overlay2" or - "/etc" or - "/etc/kubernetes" or - "/etc/kubernetes/manifests" or + ("/" or + "/proc" or + "/root" or + "/var" or + "/var/run" or + "/var/run/docker.sock" or + "/var/run/crio/crio.sock" or + "/var/run/cri-dockerd.sock" or + "/var/lib/kubelet" or + "/var/lib/kubelet/pki" or + "/var/lib/docker/overlay2" or + "/etc" or + "/etc/kubernetes" or + "/etc/kubernetes/manifests" or "/etc/kubernetes/pki" or "/home/admin") and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") @@ -80,7 +80,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index a157dc30a..5ec506a12 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/07/05" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/18" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,10 +43,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" +event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.objectRef.resource:pods - and kubernetes.audit.verb:create + and kubernetes.audit.objectRef.resource:pods + and kubernetes.audit.verb:create and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0") ''' @@ -64,7 +64,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 948324296..9aeda568b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/09/13" -integration = "kubernetes" +integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/10/03" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,9 +40,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" +event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and kubernetes.audit.verb : "create" + and kubernetes.audit.verb : "create" and kubernetes.audit.objectRef.resource : "pods" and kubernetes.audit.objectRef.namespace : "kube-system" and kubernetes.audit.requestObject.spec.serviceAccountName:*controller diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 647d91027..6e72358a1 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/03/29" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -55,16 +55,16 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.003" +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1114.003" - name = "Email Forwarding Rule" - reference = "https://attack.mitre.org/techniques/T1114/003/" [rule.threat.tactic] id = "TA0009" diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 8af7f094a..1b48d347b 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/30" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = ["user.id"] value = 10 + diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index fd6fd1742..52c9e4434 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/01" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -38,6 +38,7 @@ event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) a event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,3 +55,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = ["source.ip"] value = 25 + diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 0fb774db5..23048c727 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/17" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -32,7 +32,6 @@ severity = "high" tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" - query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" ''' @@ -54,3 +53,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = ["user.id"] value = 5 + diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 13a919074..d30b57784 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/20" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 45654f7fa..53221a5d5 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 18b0a97dd..f541eef84 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 075c90003..713d48719 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index adafec017..572b25881 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/01/13" -integration = "o365" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -26,9 +26,7 @@ name = "O365 Mailbox Audit Logging Bypass" note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = [ - "https://twitter.com/misconfig/status/1476144066807140355", -] +references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" @@ -43,16 +41,16 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1562.001" - name = "Disable or Modify Tools" - reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 97d63de0b..26eb780e0 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index a15a7b4e7..bbb4884a8 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index 4e4ca912f..a0b5faddc 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -1,14 +1,12 @@ [metadata] creation_date = "2021/07/15" +integration = ["o365"] maturity = "development" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] -description = """ -Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute. -""" +description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute." false_positives = ["Unknown"] from = "now-30m" index = ["filebeat-*", "logs-o365*"] @@ -34,10 +32,12 @@ query = ''' event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Mass download by a single user" and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] +id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" -id = "TA0010" + diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 7daae5155..93be776cd 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/15" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -14,8 +14,8 @@ with ransomware. """ false_positives = [ """ - If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse - encryption process. + If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may + represent an adverse encryption process. """, ] from = "now-30m" @@ -42,15 +42,17 @@ query = ''' event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" -id = "T1486" [rule.threat.tactic] +id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -id = "TA0040" + diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 0e9588b01..0362a15e4 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2021/07/15" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] -description = """ -Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security. -""" +description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security." false_positives = ["Users or System Administrator cleaning out folders."] from = "now-30m" index = ["filebeat-*", "logs-o365*"] @@ -36,14 +34,17 @@ query = ''' event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" -id = "T1485" + [rule.threat.tactic] +id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -id = "TA0040" + diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 6dc020aac..3a21fc34f 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 47dc36c97..d3aabc563 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 803497dc7..c27ed5396 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 8c65fa571..05f8a4f74 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/07/15" +integration = ["o365"] maturity = "development" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -39,12 +39,13 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -id = "T1078" [rule.threat.tactic] +id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -id = "TA0001" + diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 7fa3cce75..e41247f6c 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/07/15" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center. +Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies +per the Security Compliance Center. """ false_positives = ["A user sending emails using personal distribution folders may trigger the event."] from = "now-30m" @@ -36,15 +37,17 @@ query = ''' event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" -id = "T1078" [rule.threat.tactic] +id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -id = "TA0001" + diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 461c24dbd..45b2c0c20 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/01/12" -integration = "o365" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,16 +44,17 @@ framework = "MITRE ATT&CK" id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" - [[rule.threat.technique.subtechnique]] - id = "T1566.001" - name = "Spearphishing Attachment" - reference = "https://attack.mitre.org/techniques/T1566/001/" - [[rule.threat.technique.subtechnique]] - id = "T1566.002" - name = "Spearphishing Link" - reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index ed795805e..0b056bdf5 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/01/10" -integration = "o365" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,7 +40,6 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1080" name = "Taint Shared Content" @@ -51,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1080/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 3fe750c4d..cfd2b79bc 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2022/01/10" -integration = "o365" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers -can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. -Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain -initial access to other endpoints in the environment. +Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. +Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their +access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities +to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] from = "now-30m" @@ -40,14 +40,14 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1080/" id = "T1080" name = "Taint Shared Content" +reference = "https://attack.mitre.org/techniques/T1080/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0008/" id = "TA0008" name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index edd8dada3..33d5dd566 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/17" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -34,20 +34,22 @@ o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and ev not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1098/" -name = "Account Manipulation" id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1098/002/" -name = "Additional Email Delegate Permissions" id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0003/" -name = "Persistence" id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index cf56129ab..3bcb7abcf 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -34,8 +34,7 @@ references = [ risk_score = 47 rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", -"Data Protection", "Persistence"] +tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Data Protection", "Persistence"] timestamp_override = "event.ingested" type = "query" @@ -43,6 +42,7 @@ query = ''' event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 6b7572018..21c7bb2e5 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/20" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index acc9716ae..f6c652615 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -1,18 +1,18 @@ [metadata] creation_date = "2022/01/06" -integration = "o365" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator -is a role that enables users to have access to all administrative features in Azure AD and services that use Azure -AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, -and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all +is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD +identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and +Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. """ from = "now-25m" @@ -24,7 +24,7 @@ note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", ] risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" @@ -41,18 +41,19 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1098/" -name = "Account Manipulation" id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1098/003/" - name = "Additional Cloud Roles" - id = "T1098.003" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index 836040712..50cd1d0bc 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/30" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -31,8 +31,15 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", -"Configuration Audit", "Persistence"] +tags = [ + "Elastic", + "Cloud", + "Microsoft 365", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence", +] timestamp_override = "event.ingested" type = "query" @@ -43,8 +50,10 @@ o365.audit.Name:"Allow sideloading and interaction of custom apps" and o365.audit.NewValue:True and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index bba76cffc..1fa59199a 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/30" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 954b92e4f..8fad19023 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/20" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 884723ebc..44da822d4 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2021/05/17" +integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" -integration = "o365" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] description = """ -Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity -provider. +Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external +identity provider. """ index = ["filebeat-*", "logs-o365*"] language = "kuery" @@ -20,12 +20,12 @@ note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", - "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0", ] risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" @@ -44,16 +44,18 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1484/" -name = "Domain Policy Modification" id = "T1484" +name = "Domain Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Domain Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" + [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0004/" -name = "Privilege Escalation" id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 02a9b544c..23ee888e7 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 28b89e1ba..b27863f95 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/19" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -24,7 +24,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index caa4d0978..fb19c601a 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/01/05" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -21,8 +21,9 @@ note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"] + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", +] risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" @@ -39,12 +40,12 @@ sequence by user.email with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 233c3a800..0c14db3cf 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/16" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index c9e085d3b..c1607f741 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/03/22" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -24,12 +24,20 @@ note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access"] +tags = [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Credential Access", +] timestamp_override = "event.ingested" type = "query" @@ -45,3 +53,4 @@ framework = "MITRE ATT&CK" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 6b5bf4746..321563905 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,13 +30,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", - "Network Security","Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -44,20 +43,22 @@ query = ''' event.dataset:okta.system and event.action:zone.deactivate ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 700417ccd..3f9e4adcb 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,13 +30,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", - "Network Security", "Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -44,17 +43,18 @@ query = ''' event.dataset:okta.system and event.action:zone.delete ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index d8f9a2486..39c5531c3 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,13 +30,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring", "Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -44,20 +43,22 @@ query = ''' event.dataset:okta.system and event.action:policy.lifecycle.deactivate ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 742198ea8..b57284de9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,20 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Identity and Access", "Defense Evasion"] +tags = [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion", +] timestamp_override = "event.ingested" type = "query" @@ -43,20 +50,22 @@ query = ''' event.dataset:okta.system and event.action:policy.rule.deactivate ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 1b5356484..290913405 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/28" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,13 +30,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring", "Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -44,17 +43,18 @@ query = ''' event.dataset:okta.system and event.action:policy.lifecycle.delete ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index e7490aac6..4293c5ad2 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring","Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -50,14 +49,15 @@ framework = "MITRE ATT&CK" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index da64de063..eba5e4378 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,13 +30,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Network Security", "Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -44,20 +43,22 @@ query = ''' event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 99c6fdf4e..bb30144f9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,12 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring", "Defense Evasion"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" @@ -43,20 +42,22 @@ query = ''' event.dataset:okta.system and event.action:policy.lifecycle.update ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 5ea532d50..faaacd213 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,20 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Identity and Access", "Defense Evasion"] +tags = [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion", +] timestamp_override = "event.ingested" type = "query" @@ -43,20 +50,22 @@ query = ''' event.dataset:okta.system and event.action:policy.rule.update ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" - [[rule.threat.technique.subtechnique]] - id = "T1562.007" - name = "Disable or Modify Cloud Firewall" - reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 68945d0bb..359d06d14 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/19" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -31,7 +31,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" @@ -89,4 +89,3 @@ reference = "https://attack.mitre.org/tactics/TA0001/" field = ["okta.actor.alternate_id"] value = 5 - diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index ee336333f..0a908bf3e 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index b67da8f34..4838eafdb 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring", "Impact"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] timestamp_override = "event.ingested" type = "query" @@ -43,6 +42,7 @@ query = ''' event.dataset:okta.system and event.action:application.lifecycle.deactivate ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,4 +54,5 @@ reference = "https://attack.mitre.org/techniques/T1489/" [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index f169f9539..5af6bf928 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -28,13 +28,12 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Monitoring", "Impact"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] timestamp_override = "event.ingested" type = "query" @@ -42,6 +41,7 @@ query = ''' event.dataset:okta.system and event.action:application.lifecycle.delete ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -53,4 +53,5 @@ reference = "https://attack.mitre.org/techniques/T1489/" [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index c2493af91..71b8faabb 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" @@ -42,9 +42,12 @@ query = ''' event.dataset:okta.system and event.action:application.lifecycle.update ''' + [[rule.threat]] framework = "MITRE ATT&CK" + [rule.threat.tactic] id = "TA0040" name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index b9277d6b9..cac1bf6f2 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 047e03376..bfbc85bcd 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/05/14" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -19,7 +19,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" @@ -36,33 +36,34 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Valid Accounts" id = "T1078" +name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Persistence" id = "TA0003" +name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Privilege Escalation" id = "TA0004" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index f16428de8..10741ef19 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 78b9db895..e8cdca0f9 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 9c0d4498f..d9006607e 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index f4ea1d94d..03cd607a3 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index b5ad97af3..8b492628d 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 8a6d67b6d..21243653f 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/20" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 3b026c2e5..c96b2fb0c 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/05/21" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 637118da2..dfcc0a441 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/07/01" +integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" -integration = "okta" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,13 +29,12 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", ] risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", -"Identity and Access", "Persistence"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"] timestamp_override = "event.ingested" type = "query" @@ -43,6 +42,7 @@ query = ''' event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index c5cba2446..f953beb12 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/16" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 41db3e9ff..89686a248 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -34,6 +35,7 @@ query = ''' event.category:process and event.type:(start or process_started) and process.name:(iodine or iodined) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,5 @@ reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index fc157d19c..dd31a77c1 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/12" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 87f8ddc93..146bcb877 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/22" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 0a216aca1..ba3792917 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 2aeed57af..ea3710783 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 25ab699b9..358883e50 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/17" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -34,16 +35,16 @@ event.category:process and event.type:(start or process_started) and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index ccfd5d84a..41680313a 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,14 +1,18 @@ [metadata] creation_date = "2022/07/22" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). +Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or +renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be +opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious +files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -38,7 +42,6 @@ framework = "MITRE ATT&CK" id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [[rule.threat.technique.subtechnique]] id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" @@ -51,4 +54,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index e6a718fb2..9e7204492 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/22" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 87c63779d..9b5458173 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 2f48d1792..afd1562ab 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 5dee1682f..22b85beb7 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/29" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 3598708e4..7e9cb1640 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -1,15 +1,17 @@ [metadata] creation_date = "2022/07/20" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. -Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. +Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting +a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and +folders on the system for persistence and defense evasion. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] @@ -51,4 +53,3 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 05d864296..879351b85 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/24" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 6137d45bc..e9efd92c4 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 8aa75879f..1b7874984 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 747da06d2..4bd393389 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index e125a0a56..b79ce84db 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -34,6 +35,7 @@ query = ''' event.category:process and event.type:(start or process_started) and process.name:nping ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -45,4 +47,5 @@ reference = "https://attack.mitre.org/techniques/T1046/" [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index f5cc6c5e0..52ad7f55e 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index bea42106a..23d102238 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -81,7 +82,7 @@ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", ] risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 419c9b6ec..b6b31e150 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/14" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 0206e728f..ad8030bfe 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/16" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 5f75feb51..4637a68d2 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -35,7 +36,7 @@ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", ] risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 780b301e7..1c4e98585 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/10" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -27,7 +28,7 @@ name = "Binary Executed from Shared Memory Directory" references = [ "https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", ] risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 3ea9831b2..e4a0390ba 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/15" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -46,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/linux/execution_reverse_shell_via_named_pipe.toml index 91d5e22fa..341418a90 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/linux/execution_reverse_shell_via_named_pipe.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/11/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/14" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index d3e3c6788..1a8efe237 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -93,7 +94,7 @@ references = [ "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", - "https://gtfobins.github.io/gtfobins/ftp/" + "https://gtfobins.github.io/gtfobins/ftp/", ] risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 0feaaf4ea..6498eff79 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,8 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -11,7 +12,7 @@ description = """ Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "BPF filter applied using TC" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index d40329c53..882830f7f 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,16 +1,14 @@ [metadata] creation_date = "2022/07/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] -description = """ -This rule identifies a high number (10) of process terminations via pkill from the same host within a -short time period. -""" +description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period." from = "now-9m" index = ["logs-endpoint.events.*"] language = "kuery" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 6f07b0de7..2064ee16b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index cb493e9f0..aa0b69868 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 09aa6fe73..52e9a35cb 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,8 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -11,7 +12,7 @@ description = """ Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Chkconfig Service Add" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 028107174..073d6cb7a 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index da5c28b53..100f37b25 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,8 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -11,7 +12,7 @@ description = """ Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dynamic Linker Copy" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index e9bae72e8..44ca15b76 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,8 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/17" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -11,7 +12,7 @@ description = """ Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation in /etc for Persistence" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 149b2ab2c..dee73ba6a 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,8 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/15" +integration = ["endpoint"] [rule] author = ["Elastic"] @@ -11,7 +12,7 @@ description = """ Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. """ from = "now-9m" -index = ["logs-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Kernel module load via insmod" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 4dcabef11..d90657852 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 373b42235..9577d63a7 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -72,8 +73,9 @@ malware components. mean time to respond (MTTR). """ references = [ - "https://pentestlab.blog/tag/web-shell/", - "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"] + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", +] risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index bc2877b9b..5b35f2602 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 5de7817de..a707e6a34 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/01/26" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -32,30 +33,30 @@ file where file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -id = "T1068" [rule.threat.tactic] +id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -id = "TA0004" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -id = "T1574" [[rule.threat.technique.subtechnique]] +id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" -id = "T1574.007" [rule.threat.tactic] +id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -id = "TA0005" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 30c2b36fd..0aef66d6b 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/09/01" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/21" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -26,32 +27,33 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and user.name == "root" +process where event.type == "start" and event.action == "exec" and user.name == "root" and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) - and not process.executable: - ("/usr/bin/tar", - "/bin/tar", - "/usr/bin/gzip", - "/bin/gzip", - "/usr/bin/zip", - "/bin/zip", - "/usr/bin/stat", - "/bin/stat", - "/usr/bin/cmp", - "/bin/cmp", - "/usr/bin/sudo", - "/bin/sudo", - "/usr/bin/find", - "/bin/find", - "/usr/bin/ls", - "/bin/ls", - "/usr/bin/uniq", - "/bin/uniq", - "/usr/bin/unzip", - "/bin/unzip") + and not process.executable: + ("/usr/bin/tar", + "/bin/tar", + "/usr/bin/gzip", + "/bin/gzip", + "/usr/bin/zip", + "/bin/zip", + "/usr/bin/stat", + "/bin/stat", + "/usr/bin/cmp", + "/bin/cmp", + "/usr/bin/sudo", + "/bin/sudo", + "/usr/bin/find", + "/bin/find", + "/usr/bin/ls", + "/bin/ls", + "/usr/bin/uniq", + "/bin/uniq", + "/usr/bin/unzip", + "/bin/unzip") and not process.parent.executable: "/bin/dracut" ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -81,3 +83,4 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml index 52af2b7c8..e48c3eefc 100644 --- a/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namesapce_manipulation.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2022/08/30" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/30" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges +Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. """ @@ -19,7 +20,7 @@ license = "Elastic License v2" name = "Namespace Manipulation Using Unshare" references = [ "https://man7.org/linux/man-pages/man1/unshare.1.html", - "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/" + "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/", ] risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 66d17e006..20b119839 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index bab45c5cb..3a447c4a9 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 92c407862..9c88507f6 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/25" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index e7ecc76a4..50737b541 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 3b8cb920f..5266adcc4 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -45,11 +46,12 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + - [[rule.threat.technique.subtechnique]] - name = "Kerberoasting" - id = "T1558.003" - reference = "https://attack.mitre.org/techniques/T1558/003/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index d43dbdd2b..e18a7223b 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 8460830c2..8a3c69138 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index c0092f492..be115470a 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/16" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/21" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index fa6adab10..17e59225a 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/16" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 5c88932e6..40256bcd3 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1555/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index ac74b9f84..2489f6c13 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/15" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index e3ae4dd6b..69a5e53a2 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 24fa92038..0e490a060 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 569e56157..1a41289ca 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/13" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 7934ef6c5..2c07f5e0c 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 1a283b58c..dd16dfa94 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index b745b7d49..0a39d60e1 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 4d208175c..9007035ba 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 27bd40bb7..746c3d203 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -33,6 +34,7 @@ query = ''' event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 0617a5318..f6244bcbf 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 64598d357..211c7ac93 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index fc629b1d0..f2a2364da 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/01/12" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use -account and group information to orient themselves before deciding how to act. +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account +and group information to orient themselves before deciding how to act. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 0ca015722..b9feacbfb 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index f4ac8cd90..ca2de771e 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 5fab7a995..3d8c4d11d 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -1,16 +1,19 @@ [metadata] creation_date = "2021/02/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). -Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. -If this rule fires it should indicate the installation of a malicious or suspicious package. +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a +network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS +installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect +their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or +malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. """ false_positives = [ """ @@ -26,7 +29,7 @@ name = "MacOS Installer Package Spawns Network Event" references = [ "https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", - "https://github.com/D00MFist/Mystikal" + "https://github.com/D00MFist/Mystikal", ] risk_score = 47 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c" @@ -40,6 +43,7 @@ sequence by host.id, user.id with maxspan=30s [network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 8bed1e85a..87f0d06eb 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 9d98ed40b..2dfb201eb 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index fcf05ceb1..88e998340 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 6a624b12b..24ba5f00c 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -81,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 503439edc..a252f7b89 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/12" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -53,11 +54,11 @@ framework = "MITRE ATT&CK" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" - [[rule.threat.technique.subtechnique]] - name = "Kerberoasting" - id = "T1558.003" - reference = "https://attack.mitre.org/techniques/T1558/003/" [rule.threat.tactic] diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 6c38458ae..51961d91b 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/25" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index ab28fd91f..174805aaa 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index df6136f0f..f2b8a09c1 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2020/01/25" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). -Adversaries may use VPN connections to laterally move and control remote systems on a network. +Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries +may use VPN connections to laterally move and control remote systems on a network. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 3a593cb80..29c6f16e6 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 8134e47db..a1fa513f0 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 8b32a0121..4bf445cbf 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -35,49 +36,43 @@ process where event.type in ("start", "process_started") and process.name : "osa [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" -[[rule.threat]] -framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 9438a6313..61801657a 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index dd18874a9..074ab73f5 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/13" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index e9bbfc947..f5fdd41fe 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/04/25" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index f534a1397..c6405ec4d 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 75832127a..f58ad4389 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2021/01/13" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches -on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the -DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. +Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon +launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in +the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 62a1136e6..749ab0d86 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -17,9 +18,7 @@ language = "kuery" license = "Elastic License v2" name = "Persistence via Docker Shortcut Modification" references = [ - """ - https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf - """, + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", ] risk_score = 47 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 65dc9008d..6dbbc7335 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -20,8 +21,10 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = ["https://www.xorrior.com/emond-persistence/", - "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"] +references = [ + "https://www.xorrior.com/emond-persistence/", + "https://www.sentinelone.com/blog/how-malware-persists-on-macos/", +] risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" severity = "medium" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index fde1d0b5a..1782d3b9d 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 48fee93aa..4a88b411b 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 9e731724f..19e364367 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 6e9215e78..0f0d13a49 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -18,9 +19,7 @@ language = "eql" license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" references = [ - """ - https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf - """, + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", ] risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 3a6f83760..f75a11f35 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its -window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a -malicious script. +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is +attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this +feature to establish persistence by utilizing a malicious script. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 791796d56..417e9de11 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 9b3cf0e75..e70735165 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -37,28 +38,26 @@ event.category:"file" and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat.technique]] -id = "T1647" -name = "Plist File Modification" -reference = "https://attack.mitre.org/techniques/T1647/" - diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 4525ed5a6..3b0f2b8fe 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 5fbac202a..1f8c215d3 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 7941b93cd..5629a2f39 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index fd5a890d6..803351d6d 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/05" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index 64fe1a33c..78d519343 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 4a5f09ff1..9b8667ddf 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -32,6 +33,7 @@ event.category:"file" and not event.type:"deletion" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -43,4 +45,5 @@ reference = "https://attack.mitre.org/techniques/T1037/" [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 8e2c38d17..cadcca664 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 042ba1e17..b6aa94e86 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index d4013e65c..8de6c64de 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -24,7 +25,16 @@ references = [ risk_score = 73 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "CVE-2020-9615", "CVE-2020-9614", "CVE-2020-9613"] +tags = [ + "Elastic", + "Host", + "macOS", + "Threat Detection", + "Privilege Escalation", + "CVE-2020-9615", + "CVE-2020-9614", + "CVE-2020-9613", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index d4d570f67..81d5fc0e4 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/01/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 6e01d7d74..4d8da16c0 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/27" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 637b173c3..658d5ad8c 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index cd9da9842..10e310b65 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,7 +30,7 @@ This activity has been observed in FIN7 campaigns.""" references = [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack", ] risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" @@ -46,22 +47,23 @@ event.category:(network OR network_traffic) AND type:(tls OR http) AND network.t [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -id = "T1071" [[rule.threat.technique]] +id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" -id = "T1568" [[rule.threat.technique.subtechnique]] +id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" -id = "T1568.002" [rule.threat.tactic] +id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -id = "TA0011" + diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 3b09d7fa2..ab396a84f 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/05" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -28,7 +29,7 @@ references = [ "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", - "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack", ] risk_score = 99 rule_id = "e7075e8d-a966-458e-a183-85cd331af255" @@ -61,3 +62,4 @@ reference = "https://attack.mitre.org/techniques/T1071/001/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 416a4a71e..0f0a8973c 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/02" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,7 +31,7 @@ This activity has been observed in FIN7 campaigns.""" references = [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", ] risk_score = 47 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92" @@ -81,12 +82,13 @@ event.category:(network or network_traffic) and network.protocol:http and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1105/" -name = "Ingress Tool Transfer" id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0011/" -name = "Command and Control" id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 1b31af2f2..e7418a06a 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,22 +45,23 @@ AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT desti [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1071/" id = "T1071" name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1568/" id = "T1568" name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1568/002/" id = "T1568.002" name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0011/" id = "TA0011" name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index e46f22010..0d6bb6db8 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/06" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -46,22 +47,23 @@ event.category:(network OR network_traffic) AND network.protocol:http AND [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" -id = "T1071" [[rule.threat.technique]] +id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" -id = "T1568" [[rule.threat.technique.subtechnique]] +id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" -id = "T1568.002" [rule.threat.tactic] +id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -id = "TA0011" + diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 037247bec..e724e679a 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,6 +43,7 @@ event.category:(network or network_traffic) and network.transport:udp and destin framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 984bc2171..5a450f359 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,18 +44,19 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti framework = "MITRE ATT&CK" [rule.threat.tactic] +id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -id = "TA0011" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" -id = "T1048" [rule.threat.tactic] +id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" -id = "TA0010" + diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index e2efb9f8c..87290ed28 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -107,3 +108,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index a0a6679f4..96f044550 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -75,24 +76,25 @@ event.category:(network or network_traffic) and network.transport:tcp and destin [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Remote Access Software" id = "T1219" +name = "Remote Access Software" reference = "https://attack.mitre.org/techniques/T1219/" [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Exploit Public-Facing Application" id = "T1190" +name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 2e3e15c6b..13c3dbaaa 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -75,12 +76,13 @@ event.category:(network or network_traffic) and network.transport:tcp and destin [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1219" name = "Remote Access Software" reference = "https://attack.mitre.org/techniques/T1219/" -id = "T1219" [rule.threat.tactic] +id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -id = "TA0011" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 9ae1e20ed..d0827d9b4 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -67,12 +68,13 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Exploit Public-Facing Application" id = "T1190" +name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index ceeb34496..baf4c7841 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -67,12 +68,13 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Exploit Public-Facing Application" id = "T1190" +name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 698c01a64..8c34a4469 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -68,23 +69,24 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1190" -reference = "https://attack.mitre.org/techniques/T1190/" name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" -reference = "https://attack.mitre.org/tactics/TA0001/" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1048" -reference = "https://attack.mitre.org/techniques/T1048/" name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] id = "TA0010" -reference = "https://attack.mitre.org/tactics/TA0010/" name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3c28a5b88..f47bb7034 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,12 +45,13 @@ event.category:network_traffic AND network.protocol:http AND status:OK AND desti [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1190/" -name = "Exploit Public-Facing Application" id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0001/" -name = "Initial Access" id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 973fcc93b..aa510c32f 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 1a77f4f75..0cbdcb080 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2021/10/19" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] -description = """ -Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. -""" +description = "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling." from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" @@ -99,33 +98,31 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" -reference = "https://attack.mitre.org/techniques/T1059/" name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - reference = "https://attack.mitre.org/techniques/T1059/001/" - name = "PowerShell" [rule.threat.tactic] id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 3d2e7861a..9db6cf26f 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/10/15" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. -Attackers use this technique to capture user input, looking for credentials and/or other valuable data. +Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use +this technique to capture user input, looking for credentials and/or other valuable data. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] @@ -106,35 +107,33 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" +[[rule.threat.technique.subtechnique]] +id = "T1056.001" +name = "Keylogging" +reference = "https://attack.mitre.org/techniques/T1056/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1056.001" - name = "Keylogging" - reference = "https://attack.mitre.org/techniques/T1056/001/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 89ab9e083..a518cca08 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/19" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -99,33 +100,31 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1113" name = "Screen Capture" reference = "https://attack.mitre.org/techniques/T1113/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" -reference = "https://attack.mitre.org/techniques/T1059/" name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - reference = "https://attack.mitre.org/techniques/T1059/001/" - name = "PowerShell" [rule.threat.tactic] id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 829f83b38..357a91105 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -97,6 +98,7 @@ name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" + [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index afb1960b4..d0e039d7d 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/19" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index c6eb6e0ca..a5cd705d3 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,17 +1,18 @@ [metadata] creation_date = "2020/11/04" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Adversaries may implement command and control (C2) communications that use common web services to hide their -activity. This attack technique is typically targeted at an organization and uses web services common to the victim -network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically -targeted since they have most likely been used before compromise, which helps malicious traffic blend in. +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. +This attack technique is typically targeted at an organization and uses web services common to the victim network, which +allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they +have most likely been used before compromise, which helps malicious traffic blend in. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -51,8 +52,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -153,27 +154,26 @@ reference = "https://attack.mitre.org/techniques/T1102/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" - [[rule.threat.technique.subtechnique]] - id = "T1567.001" - name = "Exfiltration to Code Repository" - reference = "https://attack.mitre.org/techniques/T1567/001/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" - [[rule.threat.technique.subtechnique]] - id = "T1567.002" - name = "Exfiltration to Cloud Storage" - reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 1220ef31e..6ca31970d 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/11" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -64,7 +65,15 @@ references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-ove risk_score = 47 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] type = "threshold" query = ''' @@ -78,11 +87,11 @@ framework = "MITRE ATT&CK" id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" - [[rule.threat.technique.subtechnique]] - id = "T1071.004" - name = "DNS" - reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 92f0fdd4a..c8be1c05b 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index 1cf2dca8d..298fccd02 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -58,18 +59,18 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1559.001" - name = "Component Object Model" - reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index bba53003d..fdfbbaa1d 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -79,7 +80,15 @@ references = [ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index f68e344f1..917385b34 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -69,7 +70,15 @@ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunn risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 72c7ff392..86610e937 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -51,8 +52,8 @@ from an internal system. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -91,7 +92,15 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 5acf76575..2dfcff755 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -47,8 +48,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -87,7 +88,15 @@ references = [ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 8971101ab..fb8ba38da 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/30" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index af35f754e..fde10a71c 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/29" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -47,8 +48,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 4c51cfb7d..822f69722 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -53,8 +54,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -115,8 +116,8 @@ network where event.type == "protocol" and network.protocol == "http" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" @@ -145,3 +146,4 @@ reference = "https://attack.mitre.org/techniques/T1195/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index e9d7547a1..9c1ed91a2 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -47,8 +48,8 @@ access. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -85,7 +86,15 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Command and Control", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 67139d294..275fca8a7 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index dd1f5ab36..c66b5b279 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index 93639e2eb..c1e399b84 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -73,7 +74,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and - /* + /* noisy failure status codes often associated to authentication misconfiguration : 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine. 0XC000005E - There are currently no logon servers available to service the logon request. diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index b5481cbd0..8cb9b86dd 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -70,7 +71,15 @@ references = ["https://lolbas-project.github.io/"] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index e15f20b3f..c82366a01 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index cca55d37f..2b4b3fdd0 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -55,8 +56,8 @@ modifications, and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target @@ -104,12 +105,12 @@ sequence by process.entity_id framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" -reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 0f84b2803..4c06f32a9 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/08" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -105,7 +106,15 @@ references = [ risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -134,20 +143,19 @@ any where event.action == "Directory Service Access" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" -reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" - [[rule.threat.technique.subtechnique]] - id = "T1003.006" - reference = "https://attack.mitre.org/techniques/T1003/006/" - name = "DCSync" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index e3029c0d5..8e2f0437a 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/01/24" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -8,8 +9,9 @@ updated_date = "2022/12/21" [rule] author = ["Elastic"] description = """ -Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over -the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. +Identifies the modification of an account's Kerberos pre-authentication options. An adversary with +GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password +cracking attacks such as AS-REP roasting. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -74,7 +76,7 @@ Audit User Account Management (Success,Failure) references = [ "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", ] risk_score = 47 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" @@ -90,16 +92,16 @@ event.code:4738 and message:"'Don't Require Preauth' - Enabled" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.004" +name = "AS-REP Roasting" +reference = "https://attack.mitre.org/techniques/T1558/004/" + - [[rule.threat.technique.subtechnique]] - name = "AS-REP Roasting" - id = "T1558.004" - reference = "https://attack.mitre.org/techniques/T1558/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index ef5046c1f..2c02af1ac 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index d0ce1c049..891552ff8 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/23" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -67,12 +68,20 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index 8622f38f2..ebe6e5627 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/08/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/28" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -22,7 +23,7 @@ name = "Full User-Mode Dumps Enabled System-Wide" references = [ "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", ] risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" @@ -40,27 +41,23 @@ registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Erro [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -71,3 +68,4 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 36c1910c9..774174916 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 130d58b3e..8656c27ce 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 6c27d0f34..f3e2215a2 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/11/02" +integration = ["endpoint", "windows"] maturity = "production" updated_date = "2022/12/28" min_stack_comments = "New fields added: required_fields, related_integrations, setup" @@ -54,8 +55,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 25435f0b1..48003aece 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/11/09" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -35,9 +36,9 @@ Audit Directory Service Changes (Success,Failure) ``` """ references = [ -"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", -"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", -"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", ] risk_score = 47 rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" @@ -63,12 +64,12 @@ any where event.action == "Directory Service Access" and event.code == "4662" an /* msPKI-CredentialRoamingTokens */ "*b7ff5a38-0818-42b0-8110-d3d154c97f24*" - ) and - - /* - Excluding noisy AccessMasks - 0x0 undefined and 0x100 Control Access - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 + ) and + + /* + Excluding noisy AccessMasks + 0x0 undefined and 0x100 Control Access + https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 */ not winlog.event_data.AccessMask in ("0x0", "0x100") ''' @@ -76,14 +77,14 @@ any where event.action == "Directory Service Access" and event.code == "4662" an [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" -reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [rule.threat.tactic] id = "TA0006" -reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 0ed1d8b3f..3a0bb00b5 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2022/06/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access -rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation -for credential access. +rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in +preparation for credential access. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 95db55626..ba57403c6 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -1,6 +1,7 @@ [metadata] creation_date = "2022/12/28" maturity = "production" +integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/12/28" @@ -10,7 +11,7 @@ author = ["Elastic"] description = """ Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that -are stored in Windows, such as any logged-on user's Domain password or smart card PINs. +are stored in Windows, such as any logged-on user's Domain password or smart card PINs. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -34,18 +35,18 @@ type = "eql" query = ''' library where process.executable : "?:\\Windows\\System32\\lsass.exe" and - not (dll.code_signature.subject_name : - ("Microsoft Windows", - "Microsoft Corporation", + not (dll.code_signature.subject_name : + ("Microsoft Windows", + "Microsoft Corporation", "Microsoft Windows Publisher", "Microsoft Windows Software Compatibility Publisher", "Microsoft Windows Hardware Compatibility Publisher", - "McAfee, Inc.", - "SecMaker AB", - "HID Global Corporation", + "McAfee, Inc.", + "SecMaker AB", + "HID Global Corporation", "HID Global", - "Apple Inc.", - "Citrix Systems, Inc.", + "Apple Inc.", + "Citrix Systems, Inc.", "Dell Inc", "Hewlett-Packard Company", "Symantec Corporation", @@ -86,12 +87,12 @@ library where process.executable : "?:\\Windows\\System32\\lsass.exe" and "CyberArk Software Ltd.", "McAfeeSysPrep", "NVIDIA Corporation PE Sign v2016") and - dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and - - not dll.hash.sha256 : - ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c", - "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1", - "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3", + dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and + + not dll.hash.sha256 : + ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c", + "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1", + "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3", "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12", "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa", "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b", diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 2489d2712..126cfd902 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/24" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/09/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 8f58c0f33..b515cead6 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/16" +integration = ["windows"] maturity = "production" updated_date = "2022/12/21" min_stack_comments = "New fields added: required_fields, related_integrations, setup" @@ -8,11 +9,10 @@ min_stack_version = "8.3.0" [rule] author = ["Elastic"] description = """ -Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with -specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). -This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, -Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump -file name. +Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access +masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool +agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, +Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -53,8 +53,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -114,7 +114,7 @@ references = [ "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" @@ -152,16 +152,16 @@ any where event.action == "File System" and event.code == "4656" and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1003.001" - name = "LSASS Memory" - reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index b2806be7e..5be71919b 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/31" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -70,13 +71,19 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://www.elastic.co/security-labs/detect-credential-access" -] +references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 3a9ade0a3..05dbe9053 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/07" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -97,9 +98,9 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://attack.mitre.org/software/S0002/", - "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index e32a57d7a..3520e4dc5 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -83,12 +84,20 @@ references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 13d2e31ad..ebcd4fad8 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/02/16" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -61,13 +62,19 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.elastic.co/security-labs/detect-credential-access" -] +references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index dc96c1528..a51f3a202 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -69,3 +70,4 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index d4ed4abcd..a8a6da27f 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/10/05" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or -Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. +This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll +MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. """ false_positives = ["PowerShell scripts that use this capability for troubleshooting."] from = "now-9m" @@ -83,7 +84,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo references = [ "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 73 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" @@ -99,38 +100,36 @@ event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1003/" id = "T1003" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1003/001/" - id = "T1003.001" - name = "LSASS Memory" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0006/" id = "TA0006" name = "Credential Access" - +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 57e5002c9..1805ac0a6 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/01/24" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -100,7 +101,6 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -110,32 +110,32 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1558.003" - name = "Kerberoasting" - reference = "https://attack.mitre.org/techniques/T1558/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index e158844f2..82a9175bf 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/09/27" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index be483dcdb..a261356bd 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/04/30" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 9b5cf83a2..38b9373c2 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/03/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -69,12 +70,21 @@ collected from the host for this detection to work. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", - "https://www.elastic.co/security-labs/detect-credential-access"] + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access", +] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Lateral Movement", + "Credential Access", + "Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 9e8d68f6c..482086114 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/30" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -22,8 +23,9 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", - "https://www.elastic.co/security-labs/detect-credential-access"] + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access", +] risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" severity = "medium" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index eba480d61..f94fd6218 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -24,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index b58551961..38ce47edb 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/01/27" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -90,7 +91,15 @@ references = [ risk_score = 73 rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -103,15 +112,14 @@ event.action: "Authorization Policy Change" and event.code:4704 and winlog.event framework = "MITRE ATT&CK" [rule.threat.tactic] +id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -id = "TA0006" - [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] +id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -id = "TA0003" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 3b75a4855..7add0ef72 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/01/26" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -68,13 +69,13 @@ event.action:"Directory Service Changes" and event.code:"5136" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Modify Authentication Process" id = "T1556" +name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] -name = "Credential Access" id = "TA0006" +name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 121a5c77c..5689061bf 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/22" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -101,7 +102,15 @@ references = [ risk_score = 73 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 5e5ec86cf..a52c218d3 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2022/10/11" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" - +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,18 +43,18 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1003/" id = "T1003" name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1003/001/" id = "T1003.001" name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0006/" id = "TA0006" name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 032f7fba3..eaf90c23f 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/07" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -22,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 1a95db160..df729969f 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,17 +1,17 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/10/11" +integration = ["windows"] maturity = "production" -min_stack_version = "8.3.0" min_stack_comments = "New fields added: required_fields, related_integrations, setup" - +min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed -by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and -dump LSASS memory for credential access. +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are +performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade +detection and dump LSASS memory for credential access. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] @@ -44,19 +44,19 @@ event.category:process and event.code:10 and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "OS Credential Dumping" id = "T1003" +name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -name = "LSASS Memory" id = "T1003.001" +name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] -name = "Credential Access" id = "TA0006" +name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 11f4e969e..e9d654c1d 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/16" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -89,7 +90,7 @@ Special Logon (Success) references = [ "https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 47 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index f918efca2..fbe65d9c7 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/12/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -95,7 +96,15 @@ references = [ risk_score = 47 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index dec36d942..288fbd574 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/11/27" -updated_date = "2022/10/11" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" - +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -24,8 +24,8 @@ This is meant to run only on datasources using Windows security event 4688 that If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ -"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", -"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", ] risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" @@ -44,20 +44,18 @@ process where event.code:"4688" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "OS Credential Dumping" id = "T1003" +name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[rule.threat.technique.subtechnique]] -name = "LSASS Memory" id = "T1003.001" +name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" [rule.threat.tactic] -name = "Credential Access" id = "TA0006" +name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index ec6abb515..9380308fe 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -1,15 +1,14 @@ [metadata] creation_date = "2022/11/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] -description = """ -Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh. -""" +description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh." from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" @@ -43,6 +42,7 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -53,8 +53,6 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 2feb392f9..626a5f9c4 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 1fe7636b3..1b8fa6af4 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/06/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -85,7 +86,15 @@ references = [ risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index dfe01cd61..b164542f4 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/11/22" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index bdfd16014..cba82d0e1 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 4a37cbd30..bb79a612a 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/11/12" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 72632b5ab..a81d73cd3 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/02/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -86,7 +87,15 @@ references = [ risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 4e02f3e13..700bdc0b9 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/19" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 8647b40e5..f9fc49ede 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/23" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -70,7 +71,15 @@ references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index cf592beb2..531f67711 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/20" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -77,11 +78,21 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"] +references = [ + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", +] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 28fd03f29..197b6a2f5 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index ca1481c63..630b5516a 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/01/31" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -88,7 +89,15 @@ references = [ risk_score = 47 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index d190a4691..27c229bed 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -57,7 +58,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index e2cde02d7..2375f977a 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/07" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -71,7 +72,15 @@ references = [ risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 404674639..2b37eb349 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/05/06" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 6c3012e9e..bc51225ec 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/22" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 770cb35da..7bc221d65 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/21" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index f6671987d..d6d3fb8ab 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -65,7 +66,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 1ced78fe3..c7cc1a444 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/07" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -63,7 +64,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 7fa0ff586..376f8e772 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/09/08" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 04a563b17..f6008e58e 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 1d267ac06..ad0b458ae 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -94,7 +95,15 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 65b839a18..de1539996 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index d61498589..4db7a9a2d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index c6044d04d..c22d3b35c 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index bf3c63d91..110228ee6 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 6e16c734f..6ffafbe65 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 8af1c0c9f..bed22ced9 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/07" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Dennis Perto"] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 069ad0e44..1ad519aba 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index cbdb7ad7b..b0f700a46 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/30" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -57,19 +58,22 @@ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Wind /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + - [[rule.threat.technique.subtechnique]] - id = "T1036.005" - name = "Match Legitimate Name or Location" - reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index fa1940873..abe09c886 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/25" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -33,14 +34,16 @@ registry where [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" -[[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 9e35a7553..73f34145f 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/04/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 0306fa8f8..08cc0cacf 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 5f772baac..c47c9f4f3 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 1df9208ae..7e04d9d89 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index ce4bab22c..106bb3534 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index f447a189a..f2d787fb0 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 38ca0ee8b..019d73061 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index f068cd776..f76e308fb 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 0330f9bd5..fba6d2940 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 9a6486dc1..951d0f3ba 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 5fb3e0b78..5cf5c92ac 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/01/12" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/26" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -87,7 +88,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index f42801abf..831f62ad4 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -36,11 +37,11 @@ framework = "MITRE ATT&CK" id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" - [[rule.threat.technique.subtechnique]] - id = "T1127.001" - name = "MSBuild" - reference = "https://attack.mitre.org/techniques/T1127/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index db78aef29..40af128bc 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -36,11 +37,11 @@ framework = "MITRE ATT&CK" id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" - [[rule.threat.technique.subtechnique]] - id = "T1127.001" - name = "MSBuild" - reference = "https://attack.mitre.org/techniques/T1127/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 04dbe4030..88db5270b 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -50,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1218/005/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 0cbb400b1..6ce88eb49 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index a22b0b9d9..4b372cac5 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 4a5f33652..d801bed1a 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 43021cffb..69f9d5a13 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/07/14" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -69,17 +70,18 @@ sequence by host.id, user.id with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Access Token Manipulation" id = "T1134" +name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" [[rule.threat.technique.subtechnique]] -name = "Parent PID Spoofing" id = "T1134.004" +name = "Parent PID Spoofing" reference = "https://attack.mitre.org/techniques/T1134/004/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index d7a137c6b..5fbd0e58d 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/11/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index e7eba2eb4..b69d3e073 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/15" +integration = ["windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -50,8 +51,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -105,9 +106,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load", -] +references = ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"] risk_score = 73 rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" severity = "high" @@ -126,40 +125,38 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.001" +name = "Dynamic-link Library Injection" +reference = "https://attack.mitre.org/techniques/T1055/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.002" +name = "Portable Executable Injection" +reference = "https://attack.mitre.org/techniques/T1055/002/" - [[rule.threat.technique.subtechnique]] - id = "T1055.001" - name = "Dynamic-link Library Injection" - reference = "https://attack.mitre.org/techniques/T1055/001/" - [[rule.threat.technique.subtechnique]] - id = "T1055.002" - name = "Portable Executable Injection" - reference = "https://attack.mitre.org/techniques/T1055/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 632e21021..eab461afb 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/19" +integration = ["windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -51,8 +52,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -129,37 +130,36 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" -[[rule.threat.technique]] -id = "T1027" -name = "Obfuscated Files or Information" -reference = "https://attack.mitre.org/techniques/T1027/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" -reference = "https://attack.mitre.org/techniques/T1059/" name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - reference = "https://attack.mitre.org/techniques/T1059/001/" - name = "PowerShell" [rule.threat.tactic] id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 00e722d62..6e338e55a 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/10/14" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects the use of Windows API functions that are commonly abused by malware and security tools to load -malicious code or inject it into remote processes. +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code +or inject it into remote processes. """ false_positives = ["Legitimate PowerShell scripts that make use of these functions."] from = "now-9m" @@ -86,7 +87,7 @@ references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" @@ -108,21 +109,21 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.001" +name = "Dynamic-link Library Injection" +reference = "https://attack.mitre.org/techniques/T1055/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.002" +name = "Portable Executable Injection" +reference = "https://attack.mitre.org/techniques/T1055/002/" - [[rule.threat.technique.subtechnique]] - id = "T1055.001" - name = "Dynamic-link Library Injection" - reference = "https://attack.mitre.org/techniques/T1055/001/" - [[rule.threat.technique.subtechnique]] - id = "T1055.002" - name = "Portable Executable Injection" - reference = "https://attack.mitre.org/techniques/T1055/002/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 561dca02b..838d40c00 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/27" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/05" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 94a72e0a2..4268b070a 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Austin Songer"] @@ -76,7 +77,15 @@ references = [ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 7275f7a4a..d6a61782e 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 450769c52..d12069582 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2022/05/31" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary -execution via malicious process arguments. +Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or +binary execution via malicious process arguments. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -55,7 +56,9 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 19cdfa96c..576455d00 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index d0f939ea1..df0a92580 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/23" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index e167cd758..0a1daa948 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/12" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 9b88b2623..c4250a05b 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/20" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 0ab06bd19..4324ae4e8 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index f9bc598d7..9e073f949 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/09/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 5b5cddc7f..c354d2f65 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/05/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index fc277c2c9..2d128570b 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/21" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -43,12 +44,12 @@ sequence by process.entity_id with maxspan=5m framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1055" -reference = "https://attack.mitre.org/techniques/T1055/" name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index aa24252c7..cdcf82fc0 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/11" +integration = ["windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -51,8 +52,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index fdb1a71a6..356a8d9af 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/24" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -87,13 +88,13 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Process Injection" id = "T1055" +name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index a9b022ce8..afd460234 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -56,7 +57,9 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 0b7c1c5d7..a5a42303f 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -32,19 +33,22 @@ process where event.type == "start" and length(process.name) > 0 and length(process.name) == 5 and host.os.name == "Windows" and length(process.pe.original_file_name) > 5 ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1036.003" - name = "Rename System Utilities" - reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 64a4e6564..72671aef2 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index a2e13a109..0614d257f 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 889acdd05..9223f06da 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/19" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -82,7 +83,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 7a5e0545e..f2e0f8cd1 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -55,8 +56,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 8ccb8ab29..5d4a1eec4 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index c7647e736..3d4e5e6e6 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/05/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,13 +43,13 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" -id = "T1218" [rule.threat.tactic] +id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -id = "TA0005" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index cf0dabb8d..159ab5e45 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -57,8 +58,8 @@ persistence mechanisms, and malware components. mean time to respond (MTTR). """ references = [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", - "https://redcanary.com/threat-detection-report/techniques/rundll32/" + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://redcanary.com/threat-detection-report/techniques/rundll32/", ] risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index ae415e282..833d6a0dc 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 639543763..0b2ab42b0 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 799a1480f..627367799 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 8566611b5..73f5a1a4d 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/03/02" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] @@ -69,12 +70,20 @@ references = [ risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" +process where event.type == "start" and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") ''' diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index b3735c640..c9f7bae6a 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index a412f5957..d028ab276 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 3844e7c56..8bd3dc6fa 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 2e786ec23..df7589298 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/05/31" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 9d4b61dc8..8118cc8b2 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -1,14 +1,16 @@ [metadata] creation_date = "2022/11/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies the execution of discovery commands to enumerate system info or files and folders using the Windows Command Shell. +Identifies the execution of discovery commands to enumerate system info or files and folders using the Windows Command +Shell. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] @@ -32,7 +34,6 @@ process where event.type == "start" and ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -50,22 +51,21 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.003" - name = "Windows Command Shell" - reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 67dbc9a82..638a57a63 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index dcc6d7224..a50b3504e 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 295f61ab6..1e96c7881 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/08/17" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -77,9 +78,9 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" @@ -107,36 +108,36 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -id = "T1059" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" - id = "T1059.001" [[rule.threat.technique]] +id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" -id = "T1106" + [rule.threat.tactic] +id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -id = "TA0002" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 2e8d82e33..2efe5a002 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/13" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -80,7 +81,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo """ references = [ "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" @@ -109,34 +110,32 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" -[[rule.threat.technique]] -id = "T1069" -name = "Permission Groups Discovery" -reference = "https://attack.mitre.org/techniques/T1069/" - - [[rule.threat.technique.subtechnique]] - id = "T1069.001" - name = "Local Groups" - reference = "https://attack.mitre.org/techniques/T1069/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 7583d4962..fd633e275 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,16 +1,17 @@ [metadata] creation_date = "2020/09/04" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to -test for Internet access and acquire their external IP address after they have gained access to a system. Among others, -this has been observed in campaigns leveraging the information stealer, Trickbot. +Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test +for Internet access and acquire their external IP address after they have gained access to a system. Among others, this +has been observed in campaigns leveraging the information stealer, Trickbot. """ false_positives = [ """ @@ -123,22 +124,24 @@ network where network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + + [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - - [[rule.threat.technique.subtechnique]] - id = "T1016.001" - name = "Internet Connection Discovery" - reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index dbd4adf50..817587d9f 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/10/15" +integration = ["windows"] maturity = "production" updated_date = "2022/12/21" min_stack_comments = "New fields added: required_fields, related_integrations, setup" @@ -51,8 +52,8 @@ connections. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -156,18 +157,18 @@ iam where event.action == "user-member-enumerated" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1069/" id = "T1069" name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1069/001/" id = "T1069.001" name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0007/" id = "TA0007" name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 35aea7dea..572fa2aa2 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 40e1b0a38..c716b248f 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index e46638aa1..dd16ec895 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged -on to the local system. +Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is +currently logged on to the local system. """ false_positives = [ """ diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 69477680f..ae1ecc902 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 740575033..aab56638a 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index aafc49f45..51542a324 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/20" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index e127caf03..917e55dbc 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 698d98d93..814eeddf0 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -47,8 +48,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -79,7 +80,7 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747", ] risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 12c09061b..50a8ef2c6 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/21" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 81e4454bd..cf46c7e4a 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 7409b4e05..2925d4c1b 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,11 +41,11 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 89ee324fc..f075d3571 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index f72a9f59c..a71004cb2 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index dc502fd7e..e7c104cba 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/30" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,8 +45,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -81,7 +82,16 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Execution", + "Defense Evasion", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" @@ -193,6 +203,7 @@ process where event.type == "start" and "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -200,24 +211,26 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + - [[rule.threat.technique.subtechnique]] - id = "T1036.005" - name = "Match Legitimate Name or Location" - reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index b4102eb23..2bf108d6d 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,30 +43,28 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.001" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1218/001/" - [[rule.threat.technique.subtechnique]] - id = "T1218.001" - name = "Compiled HTML File" - reference = "https://attack.mitre.org/techniques/T1218/001/" [rule.threat.tactic] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index b3cb07922..5d75b2d19 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index dde2b98ce..ae57c80ee 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index cfb556108..dc68f719b 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/15" +integration = ["windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -49,8 +50,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -102,7 +103,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" @@ -121,16 +122,16 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + - [[rule.threat.technique.subtechnique]] - id = "T1059.001" - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 2deee6cfc..a125c6634 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/10/15" +integration = ["windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables -PowerShell to access win32 API functions. +Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to +access win32 API functions. """ false_positives = ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"] from = "now-9m" @@ -59,8 +60,8 @@ prevalence, whether they are located in expected locations, and if they are sign processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -116,8 +117,8 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" @@ -144,24 +145,24 @@ event.category:process and [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] +id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -id = "T1059" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" - id = "T1059.001" [[rule.threat.technique]] +id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" -id = "T1106" + [rule.threat.tactic] +id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -id = "TA0002" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index faceec9a5..86892beda 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 47e7f9988..b666d5cb8 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -71,3 +72,4 @@ reference = "https://attack.mitre.org/techniques/T1218/010/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 5adbd0ecd..5d56671c8 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -40,11 +41,11 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique.subtechnique]] - id = "T1053.005" - name = "Scheduled Task" - reference = "https://attack.mitre.org/techniques/T1053/005/" [rule.threat.tactic] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 00ca0163d..37d3f89d1 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1f88c4aef..d1bdb9264 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index fbd8716dd..c0010f8ff 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 46c17d4aa..50f5531b7 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/30" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index f1583ff31..4408a13c0 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index e63b63cc0..39060d52c 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 08fdd5e85..3b8055642 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 139bf0a3d..32f2bb41d 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 050532248..2069a8112 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 7c9728583..8684e2098 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/01" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 9280f3fb7..0d1996b22 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index c66105101..7c827b6f0 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/16" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 538bc37f5..af6042d37 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -56,9 +57,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = [ - "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" -] +references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"] risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 43433f351..4b3621c59 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 310e80927..b53a80562 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 453e6b313..78803ef67 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 34fa1477c..09274abdd 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/07/03" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -73,7 +74,6 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -91,3 +91,4 @@ reference = "https://attack.mitre.org/techniques/T1027/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index f4fa92279..2af0e3bce 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 6ffcbf866..7f9fff65c 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/27" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index c100567b4..de1528346 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 6068ea9c0..a6c284bc9 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index dc6994c27..cfcbee974 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/08" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 65689371d..6fd4456f2 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -79,9 +80,7 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://www.elastic.co/blog/vulnerability-summary-follina" -] +references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 4a47e6939..f3368beed 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 391583161..b4dfcfa0f 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/16" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -81,7 +82,7 @@ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability", ] risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 32e5bb38d..d7f66a709 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/07/16" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -30,7 +31,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability", ] risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index ef7c17727..52e495f3e 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/29" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 8e6b4c392..3374da4d1 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 89c4fcd7e..1c72492fb 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,19 +43,17 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" - [[rule.threat.technique.subtechnique]] - id = "T1021.003" - name = "Distributed Component Object Model" - reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -67,6 +66,7 @@ name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index 182ba9ef9..eef975b11 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -41,11 +42,11 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" - [[rule.threat.technique.subtechnique]] - id = "T1021.003" - name = "Distributed Component Object Model" - reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 66c6bce4f..c4bdd1edd 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/06" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,11 +43,11 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" - [[rule.threat.technique.subtechnique]] - id = "T1021.003" - name = "Distributed Component Object Model" - reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index f550196c9..157565a62 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2021/03/22" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could -be indicative of adversary lateral movement preparation by making the added pipe available to everyone. +Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be +indicative of adversary lateral movement preparation by making the added pipe available to everyone. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -51,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1021/002/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 0ab303d8a..591726199 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -50,8 +51,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -107,14 +108,14 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Remote Services" id = "T1021" +name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique.subtechnique]] - name = "SMB/Windows Admin Shares" - id = "T1021.002" - reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index e8f51e328..2246851dd 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/12" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 923f75550..e375b06b9 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/10" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -82,21 +83,21 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" -[[rule.threat.technique]] -id = "T1021" -name = "Remote Services" -reference = "https://attack.mitre.org/techniques/T1021/" - - [[rule.threat.technique.subtechnique]] - id = "T1021.002" - name = "SMB/Windows Admin Shares" - reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index f4e7c78b9..d8c8c4798 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/11" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 03714ec83..ab492d295 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -44,8 +45,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 285d54702..ee96aee95 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index af3522a60..dc04b0010 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -34,9 +35,9 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ [process where event.type == "start" and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "C:\\windows\\TEMP\\nessus_*.TMP", - "C:\\Windows\\CCM\\SystemTemp\\*", + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "C:\\windows\\TEMP\\nessus_*.TMP", + "C:\\Windows\\CCM\\SystemTemp\\*", "C:\\Windows\\CCMCache\\*", "C:\\CCM\\Cache\\*") ] diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index f20655ecd..65c44c85a 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 7ca58f872..5744aaf92 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2020/11/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows -PowerShell command on one or more remote computers. This could be an indication of lateral movement. +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any +Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. """ false_positives = [ """ diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 0ff84aa08..940d82449 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/25" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index c8a869ba1..2a22f2746 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/11" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -53,11 +54,11 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" - [[rule.threat.technique.subtechnique]] - id = "T1021.001" - name = "Remote Desktop Protocol" - reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index dee41fabf..fec006f09 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 002773e38..e5b5e3312 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/30" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 986ef9a5c..d721d353c 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/16" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -57,8 +58,8 @@ software installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -87,7 +88,9 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"] +references = [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f", +] risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" @@ -101,7 +104,7 @@ sequence with maxspan=1s source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - [process where event.type == "start" and process.parent.name : "services.exe" and + [process where event.type == "start" and process.parent.name : "services.exe" and not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and not (process.name : "msiexec.exe" and process.args : "/V") and not process.executable : diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index bb57efdd2..92a164112 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index cf7c9df3f..ba36c6283 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/20" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -88,11 +89,11 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique.subtechnique]] - id = "T1053.005" - name = "Scheduled Task" - reference = "https://attack.mitre.org/techniques/T1053/005/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 657b8bec8..49131e487 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index cdec153a0..19a754c80 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 98c55b9c5..e30918875 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 708403dc0..a4e95f7f4 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/01/31" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -40,6 +41,6 @@ framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 66788d50f..890f5ab79 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -42,8 +43,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -76,9 +77,7 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://twitter.com/pabraeken/status/997997818362155008", -] +references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index d87e818c2..8facccf5e 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index bd333a6fa..0940313e3 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 10bda16b9..3148e334b 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index c7f7e181d..2006221d3 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/22" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -72,7 +73,15 @@ references = [ risk_score = 47 rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -83,12 +92,12 @@ event.action:"modified-user-account" and event.code:"4738" and message:"'Don't E [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_driver_newterm_imphash.toml b/rules/windows/persistence_driver_newterm_imphash.toml index 113a4d4a2..320b65e65 100644 --- a/rules/windows/persistence_driver_newterm_imphash.toml +++ b/rules/windows/persistence_driver_newterm_imphash.toml @@ -3,13 +3,14 @@ creation_date = "2022/12/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2022/12/19" +integration = ["endpoint"] +updated_date = "2023/01/23" [rule] author = ["Elastic"] description = """ -Identifies the load of a driver with an original file name and signature values that were observed -for the first time during the last 30 days. This rule type can help baseline drivers installation +Identifies the load of a driver with an original file name and signature values that were observed +for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. """ from = "now-9m" @@ -26,7 +27,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category : "driver" and event.action : "load" +event.category : "driver" and event.action : "load" ''' diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 2616704b9..1cf539b2d 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index b322eb391..a83eb10d1 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index aaa6f2a80..f6abd213b 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/15" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -122,3 +123,4 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 1d40d80dc..396a61657 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/26" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 44117c477..6f1b47e23 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 0724f5ef4..62f235184 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -18,9 +19,9 @@ language = "eql" license = "Elastic License v2" name = "Local Scheduled Task Creation" references = [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" - ] + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", +] risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" @@ -51,7 +52,6 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index e691e45ab..0b93ac78a 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/29" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -41,11 +42,11 @@ framework = "MITRE ATT&CK" id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique.subtechnique]] - id = "T1053.005" - name = "Scheduled Task" - reference = "https://attack.mitre.org/techniques/T1053/005/" [rule.threat.tactic] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index b05a57b69..f83141be7 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/16" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index d8b6f1cbd..2fa240431 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/23" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 071fc2018..04bed4403 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/01/27" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -50,27 +51,26 @@ event.action:modified-user-account and event.code:4738 and winlog.event_data.All [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" -reference = "https://attack.mitre.org/techniques/T1098/" name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" name = "Persistence" - - +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index de6bb59eb..63fc87dce 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powersshell_profiles.toml b/rules/windows/persistence_powersshell_profiles.toml index 902f45746..eab9abbac 100644 --- a/rules/windows/persistence_powersshell_profiles.toml +++ b/rules/windows/persistence_powersshell_profiles.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -19,7 +20,7 @@ license = "Elastic License v2" name = "Persistence via PowerShell profile" references = [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", ] risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 1a2982cd2..3dfcfc101 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -54,8 +55,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index a88cd84cc..a6e8c2848 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,15 +1,16 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] description = """ -Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be -an indication of an adversary's attempt to persist in a stealthy manner. +Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could +be an indication of an adversary's attempt to persist in a stealthy manner. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -91,16 +92,15 @@ registry where [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" - [[rule.threat.technique.subtechnique]] - id = "T1547.001" - name = "Registry Run Keys / Startup Folder" - reference = "https://attack.mitre.org/techniques/T1547/001/" [rule.threat.tactic] diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index fe8ff8725..22cb2b45e 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/10/18" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +22,7 @@ references = [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", - "https://www.elastic.co/security-labs/detect-credential-access" + "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" @@ -53,12 +54,12 @@ sequence by winlog.computer_name with maxspan=5m framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1098" -reference = "https://attack.mitre.org/techniques/T1098/" name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 3ebe52723..a823cfab6 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" - +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -49,8 +49,8 @@ software installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -142,3 +142,4 @@ reference = "https://attack.mitre.org/techniques/T1547/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index f301bd220..1852a0066 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index 3c90c8390..bfbfc72f3 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index 8ec4b4e72..84e5f0710 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index a54ad3da8..ee7d1979b 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/24" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -92,7 +93,15 @@ references = [ risk_score = 73 rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index d8c3b2529..ff03bfcd5 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/30" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 9a42da61f..b18ef8566 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 9c08de978..1b45fd434 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ software installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -87,9 +88,7 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" -] +references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 03bfc527b..71f3647d5 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/29" +integration = ["endpoint"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ software installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index bfe90546d..358cd1d14 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ software installations. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index de91b89e8..a7f457122 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/01" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -125,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1546/015/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index d0f23ab06..a0ebcfe97 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/17" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 10e4e202a..0957a14d7 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 3867e7951..e7d2b5e88 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/23" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 8f3721c5a..1a1aed371 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 07b021632..de92808fb 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/29" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Persistence"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "eql" query = ''' @@ -30,7 +31,6 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -48,16 +48,3 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1070" -name = "Indicator Removal" -reference = "https://attack.mitre.org/techniques/T1070/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index acf6d3330..672b5f69a 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/19" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index f0d4bc3f5..3134ab074 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/01/09" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index aeaabb03c..ed73e4e42 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index f23fa3127..b4334f7b4 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/01/04" +integration = ["windows"] maturity = "development" updated_date = "2022/12/21" @@ -38,16 +39,16 @@ framework = "MITRE ATT&CK" id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" - [[rule.threat.technique.subtechnique]] - id = "T1136.001" - name = "Local Account" - reference = "https://attack.mitre.org/techniques/T1136/001/" +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" - [[rule.threat.technique.subtechnique]] - id = "T1136.002" - name = "Domain Account" - reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 05665376e..453407281 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/13" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -29,8 +30,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and process.name : "sdbinst.exe" and - not (process.args : "-m" and process.args : "-bg") and +process where event.type == "start" and process.name : "sdbinst.exe" and + not (process.args : "-m" and process.args : "-bg") and not process.args : "-mm" ''' diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index fd414d53d..82c913059 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index fe1983570..06fa08b61 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/15" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 115c37e1b..bfc21218c 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 534721e92..d52a219c5 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 060001eb7..b9672f079 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/17" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -51,8 +52,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index daeeb9a00..2f142104f 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/12/04" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -21,9 +22,7 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references= [ - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" -] +references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 68e397ccb..8041117b4 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/03/15" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -18,7 +19,8 @@ license = "Elastic License v2" name = "Persistence via WMI Standard Registry Provider" references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", +] risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" @@ -60,16 +62,6 @@ registry where [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" -[[rule.threat.technique.subtechnique]] -id = "T1547.001" -name = "Registry Run Keys / Startup Folder" -reference = "https://attack.mitre.org/techniques/T1547/001/" - - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -80,6 +72,16 @@ name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + + [rule.threat.tactic] id = "TA0003" @@ -97,3 +99,4 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 2df0d09d2..81a8c57d0 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/08/24" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -80,7 +81,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", - "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", ] risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 842c395e2..f43fedaa1 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/08/30" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -37,7 +38,7 @@ sequence by winlog.computer_name with maxspan=1m event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and /* seclogon service */ - process.name == "svchost.exe" and + process.name == "svchost.exe" and winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId [process where event.type == "start"] by winlog.event_data.TargetLogonId diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index d20268fb1..4dfcff827 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/11/09" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -8,8 +9,8 @@ updated_date = "2022/12/21" [rule] author = ["Elastic"] description = """ -Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse -the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials +Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can +abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. """ @@ -42,9 +43,9 @@ Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType W ``` """ references = [ -"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", -"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", -"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", ] risk_score = 47 rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313" @@ -72,3 +73,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index bf5dde012..8ef2f70b7 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/20" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 7795b0d61..ee8b39aac 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/11/08" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -7,9 +8,7 @@ updated_date = "2022/12/21" [rule] author = ["Elastic"] -description = """ -Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. -""" +description = "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects." false_positives = ["Legitimate Administrative Activity"] index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" @@ -85,12 +84,20 @@ Audit Directory Service Changes (Success,Failure) references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", - "https://labs.f-secure.com/tools/sharpgpoabuse" + "https://labs.f-secure.com/tools/sharpgpoabuse", ] risk_score = 47 rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -111,23 +118,24 @@ or [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1547/" -id = "T1547" -name = "Boot or Logon Autostart Execution" - -[[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1484/" id = "T1484" name = "Domain Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1484/001/" - id = "T1484.001" - name = "Group Policy Modification" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0004/" id = "TA0004" name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 5168ad08c..e429474cd 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/11/08" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -22,7 +23,7 @@ note = """## Triage and analysis Group Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. -Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" +Example Path: "\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" #### Possible investigation steps @@ -72,7 +73,15 @@ references = [ risk_score = 73 rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -84,18 +93,19 @@ winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *80 [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1484/" id = "T1484" name = "Domain Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1484/001/" - id = "T1484.001" - name = "Group Policy Modification" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0004/" id = "TA0004" name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 91745bd4c..3660ace9a 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/11/08" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -8,7 +9,8 @@ updated_date = "2022/12/21" [rule] author = ["Elastic"] description = """ -Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. +Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the +GPO. """ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" @@ -85,12 +87,20 @@ references = [ "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml", ] risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Active Directory", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -105,28 +115,29 @@ or [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1053/" id = "T1053" name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1053/005/" - id = "T1053.005" - name = "Scheduled Task" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1484/" id = "T1484" name = "Domain Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + - [[rule.threat.technique.subtechnique]] - reference = "https://attack.mitre.org/techniques/T1484/001/" - id = "T1484.001" - name = "Group Policy Modification" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0004/" id = "TA0004" name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index be2ef43d0..4ba2fa646 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/11/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -49,8 +50,8 @@ for prevalence, whether they are located in expected locations, and if they are processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 92a98a340..b37a2f48a 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/04/27" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 1f98312c7..ed541ca10 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 7a59433a8..dbe893aef 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/23" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index c4f0eba75..1109be724 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2020/01/07" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -81,7 +82,15 @@ references = [ risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Persistence", + "Privilege Escalation", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 9b97e46ab..ce499c829 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/01/21" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 48c33a348..66d19d713 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/08/17" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/17" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -37,10 +38,10 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://github.com/decoder-it/psgetsystem", - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" @@ -67,52 +68,52 @@ event.category:process and ("DuplicateToken" or "DuplicateTokenEx") and ("SetThreadToken" or - "ImpersonateLoggedOnUser" or - "CreateProcessWithTokenW" or - "CreatePRocessAsUserW" or + "ImpersonateLoggedOnUser" or + "CreateProcessWithTokenW" or + "CreatePRocessAsUserW" or "CreateProcessAsUserA") - ) + ) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] -name = "Access Token Manipulation" id = "T1134" +name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" - [[rule.threat.technique.subtechnique]] -name = "Token Impersonation/Theft" id = "T1134.001" +name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] +id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" -id = "T1059" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique.subtechnique]] - name = "PowerShell" - reference = "https://attack.mitre.org/techniques/T1059/001/" - id = "T1059.001" [[rule.threat.technique]] +id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" -id = "T1106" + [rule.threat.tactic] +id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" -id = "TA0002" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 3f477aa0f..0e443e572 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/26" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 948d82029..f5c4d7f3d 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2022/12/21" [rule] author = ["Elastic"] @@ -33,13 +34,13 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "creation" and +file where event.type == "creation" and process.name : "spoolsv.exe" and file.extension : "dll" and - file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and - not file.path : - ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", - "?:\\WINDOWS\\system32\\x5lrs.dll", - "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", + file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and + not file.path : + ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\x5lrs.dll", + "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", "?:\\WINDOWS\\system32\\PrintConfig.dll") ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 3e0f3bc2d..001227bbd 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/06" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -26,9 +27,7 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", -] +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" severity = "medium" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 60938ed6a..564a7b5e6 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/14" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/12/15" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/21" [rule] author = ["Elastic"] @@ -50,8 +51,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. @@ -103,19 +104,19 @@ file where event.type != "deletion" and "PrintIsolationHost.exe", "splwow64.exe", "msiexec.exe", - "poqexec.exe") and - not user.id : "S-1-5-18" and - not process.executable : + "poqexec.exe") and + not user.id : "S-1-5-18" and + not process.executable : ("?:\\Windows\\System32\\mmc.exe", - "\\Device\\Mup\\*.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\mmc.exe", - "?:\\Windows\\System32\\printui.exe", - "?:\\Windows\\System32\\mstsc.exe", - "?:\\Windows\\System32\\spool\\*.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\PROGRA~1\\*.exe", + "\\Device\\Mup\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\System32\\printui.exe", + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Windows\\System32\\spool\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\PROGRA~1\\*.exe", "?:\\PROGRA~2\\*.exe") ''' diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 383a55656..d5651b6ca 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/26" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index bbc7ca334..b0e7096a7 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2021/12/12" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 35691e2de..1b615e083 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/05/11" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -10,7 +11,8 @@ author = ["Elastic"] description = """ Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation -step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges. +step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin +privileges. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] @@ -38,8 +40,8 @@ sequence by winlog.computer_name with maxspan=5m [iam where event.action == "changed-computer-account" and /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ - winlog.event_data.DnsHostName : "??*" and - + winlog.event_data.DnsHostName : "??*" and + /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) ] by winlog.event_data.SubjectLogonId diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index aa6593584..a5cbd5270 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/20" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -83,3 +84,4 @@ reference = "https://attack.mitre.org/techniques/T1134/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 7757fc1e8..1ff06c2de 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/28" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 934382b13..df6d6e0de 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/11/03" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 3e0d7af18..aa5cd6dd2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/19" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 90515eff7..30ed1f1ff 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/08/18" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 6b281c3ec..0b52e6f2c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/27" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/07" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -21,8 +22,9 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://github.com/hfiref0x/UACME", - "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"] + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", +] risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" severity = "high" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 463b7c35d..0366f8339 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/17" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -56,8 +57,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 8742522f3..66a1ab99f 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/26" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -53,8 +54,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 9de4d9ac8..ae02c0ee7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/14" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -53,8 +54,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index bdc1bd346..a1e430b7e 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index e3f37b0dc..027774469 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/02/18" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2022/11/04" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -48,8 +49,8 @@ and any spawned child processes. processes in the process tree. - Examine the host services for suspicious or anomalous entries. - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE "%LocalSystem" OR user_account LIKE "%LocalService" OR user_account LIKE "%NetworkService" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} + - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != "trusted"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index dede16941..ec2e3a120 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/07/06" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -26,9 +27,7 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", -] +references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" severity = "medium" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 20b55666e..40e81d588 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/10/13" +integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 77b2af01d..e81d02b11 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/20" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -79,3 +80,4 @@ reference = "https://attack.mitre.org/techniques/T1134/004/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index a325fb534..1acf87252 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/10/13" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -27,7 +28,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", - "https://twitter.com/SBousseaden/status/1429530155291193354" + "https://twitter.com/SBousseaden/status/1429530155291193354", ] risk_score = 73 rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241" @@ -47,12 +48,12 @@ file where event.action : "Pipe Created*" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1134" -reference = "https://attack.mitre.org/techniques/T1134/" name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" -reference = "https://attack.mitre.org/tactics/TA0004/" name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index bf9215a22..64aefa8f8 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2022/10/20" +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" min_stack_version = "8.4.0" -updated_date = "2022/10/20" +updated_date = "2022/12/14" [rule] author = ["Elastic"] @@ -78,3 +79,4 @@ reference = "https://attack.mitre.org/techniques/T1134/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 69ab640b7..b21d26b5b 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -1,5 +1,6 @@ [metadata] creation_date = "2022/02/07" +integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -36,7 +37,7 @@ Audit Security System Extension (Success) references = [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", ] risk_score = 73 rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" @@ -53,18 +54,18 @@ event.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1543/" id = "T1543" name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -reference = "https://attack.mitre.org/techniques/T1543/003/" id = "T1543.003" name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0004/" id = "TA0004" name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 807b59a56..b514c4c8a 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/02" +integration = ["endpoint"] maturity = "development" -updated_date = "2022/09/15" +updated_date = "2022/12/14" [rule] author = ["Elastic"] diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index a237fb236..48c36ae7a 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -7,6 +7,7 @@ import os import re import warnings +import unittest from collections import defaultdict from pathlib import Path @@ -25,6 +26,8 @@ from rta import get_available_tests from .base import BaseRuleTest +PACKAGE_STACK_VERSION = Version(current_stack_version()) + (0,) + class TestValidRules(BaseRuleTest): """Test that all detection rules load properly without duplicates.""" @@ -435,33 +438,56 @@ class TestRuleMetadata(BaseRuleTest): rule_str = f'{rule_id} - {entry["rule_name"]} ->' self.assertIn(rule_id, deprecated_rules, f'{rule_str} is logged in "deprecated_rules.json" but is missing') - def test_integration(self): - """Test that rules in integrations folders have matching integration defined.""" + @unittest.skipIf(PACKAGE_STACK_VERSION < Version("8.3.0"), + "Test only applicable to 8.3+ stacks regarding related integrations build time field.") + def test_integration_tag(self): + """Test integration rules defined by metadata tag.""" failures = [] + non_dataset_packages = ["apm", "endpoint", "windows", "winlog"] packages_manifest = load_integrations_manifests() + valid_integration_folders = [p.name for p in list(Path(INTEGRATION_RULE_DIR).glob("*")) if p.name != 'endpoint'] for rule in self.production_rules: - rule_integration = rule.contents.metadata.get('integration') + rule_integrations = rule.contents.metadata.get('integration') + if rule_integrations: + rule_integrations = [rule_integrations] if isinstance(rule_integrations, str) else rule_integrations + for rule_integration in rule_integrations: + # checks if metadata tag matches from a list of integrations in EPR + if rule_integration not in packages_manifest.keys(): + err_msg = f"{self.rule_str(rule)} integration '{rule_integration}' unknown" + failures.append(err_msg) - # checks if metadata tag matches from a list of integrations in EPR - if rule_integration and rule_integration not in packages_manifest.keys(): - err_msg = f"{self.rule_str(rule)} integration '{rule_integration}' unknown" - failures.append(err_msg) + # checks if the rule path matches the intended integration + if rule_integration in valid_integration_folders: + if rule_integration != rule.path.parent.name: + err_msg = f'{self.rule_str(rule)} {rule_integration} tag, path is {rule.path.parent.name}' + failures.append(err_msg) - # checks if the rule path matches the intended integration - valid_integration_folders = [p.name for p in list(Path(INTEGRATION_RULE_DIR).glob("*"))] - if rule_integration and rule_integration in valid_integration_folders: - if rule_integration != rule.path.parent.name: - err_msg = f'{self.rule_str(rule)} {rule_integration} tag, but path is {rule.path.parent.name}' - failures.append(err_msg) + else: + # checks if event.dataset exists in query object and a tag exists in metadata + if isinstance(rule.contents.data, QueryRuleData) and rule.contents.data.language != 'lucene': + trc = TOMLRuleContents(rule.contents.metadata, rule.contents.data) + package_integrations = trc._get_packaged_integrations(packages_manifest) + if package_integrations: + err_msg = f'{self.rule_str(rule)} integration tag should exist: ' + failures.append(err_msg) - # checks if event.dataset exists in query object and a tag exists in metadata - if isinstance(rule.contents.data, QueryRuleData) and rule.contents.data.language != 'lucene': - trc = TOMLRuleContents(rule.contents.metadata, rule.contents.data) - package_integrations = trc._get_packaged_integrations(packages_manifest) - if package_integrations and not rule_integration: - err_msg = f'{self.rule_str(rule)} integration tag should exist: ' + # checks if rule has index pattern integration and the integration tag exists + # ignore the External Alerts rule, Threat Indicator Matching Rules, Guided onboarding + ignore_ids = [ + "eb079c62-4481-4d6e-9643-3ca499df7aaa", + "699e9fdb-b77c-4c01-995c-1c15019b9c43", + "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", + "a198fbbd-9413-45ec-a269-47ae4ccf59ce" + ] + if any([re.search("|".join(non_dataset_packages), i, re.IGNORECASE) + for i in rule.contents.data.index]): + if not rule.contents.metadata.integration and rule.id not in ignore_ids: + err_msg = f'substrings {non_dataset_packages} found in '\ + f'{self.rule_str(rule)} rule index patterns are {rule.contents.data.index},' \ + f'but no integration tag found' + failures.append(err_msg) if failures: err_msg = """ @@ -471,6 +497,39 @@ class TestRuleMetadata(BaseRuleTest): """ self.fail(err_msg + '\n'.join(failures)) + +class TestIntegrationRules(BaseRuleTest): + """Test integration rules.""" + + @unittest.skip("8.3+ Stacks Have Related Integrations Feature") + def test_integration_guide(self): + """Test that rules which require a config note are using standard verbiage.""" + config = '## Setup\n\n' + beats_integration_pattern = config + 'The {} Fleet integration, Filebeat module, or similarly ' \ + 'structured data is required to be compatible with this rule.' + render = beats_integration_pattern.format + integration_notes = { + 'aws': render('AWS'), + 'azure': render('Azure'), + 'cyberarkpas': render('CyberArk Privileged Access Security (PAS)'), + 'gcp': render('GCP'), + 'google_workspace': render('Google Workspace'), + 'o365': render('Office 365 Logs'), + 'okta': render('Okta'), + } + + for rule in self.all_rules: + integration = rule.contents.metadata.integration + note_str = integration_notes.get(integration) + + if note_str: + self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') + + if note_str not in rule.contents.data.note: + self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' + f'Expected: {note_str}\n\n' + f'Actual: {rule.contents.data.note}') + def test_rule_demotions(self): """Test to ensure a locked rule is not dropped to development, only deprecated""" versions = default_version_lock.version_lock @@ -662,38 +721,6 @@ class TestLicense(BaseRuleTest): self.assertEqual(rule_license, 'Elastic License v2', err_msg) -class TestIntegrationRules(BaseRuleTest): - """Test the note field of a rule.""" - - def test_integration_guide(self): - """Test that rules which require a config note are using standard verbiage.""" - config = '## Setup\n\n' - beats_integration_pattern = config + 'The {} Fleet integration, Filebeat module, or similarly ' \ - 'structured data is required to be compatible with this rule.' - render = beats_integration_pattern.format - integration_notes = { - 'aws': render('AWS'), - 'azure': render('Azure'), - 'cyberarkpas': render('CyberArk Privileged Access Security (PAS)'), - 'gcp': render('GCP'), - 'google_workspace': render('Google Workspace'), - 'o365': render('Office 365 Logs'), - 'okta': render('Okta'), - } - - for rule in self.all_rules: - integration = rule.contents.metadata.integration - note_str = integration_notes.get(integration) - - if note_str: - self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') - - if note_str not in rule.contents.data.note: - self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' - f'Expected: {note_str}\n\n' - f'Actual: {rule.contents.data.note}') - - class TestIncompatibleFields(BaseRuleTest): """Test stack restricted fields do not backport beyond allowable limits."""