diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 8d37071c2..b9179554e 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -28,7 +28,7 @@ references = [ ] risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 9d539247b..ab5037a11 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "WebServer Access Logs Deleted" risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index cc6cd22ad..f1cc64599 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Tampering of Shell Command-Line History" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 1597275d0..3436a467e 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Elastic Agent Service Terminated" risk_score = 47 rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 4bfa53570..2b5f675a6 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index a489d20cb..baed2ce5d 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -20,7 +20,7 @@ max_signals = 33 name = "Timestomping using Touch Command" risk_score = 47 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 3567e7242..6960ab9e5 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -47,18 +47,16 @@ This rule looks for the execution of the `grep` utility with arguments compatibl - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 67dd4291b..e0181030a 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -27,7 +27,7 @@ name = "Virtual Machine Fingerprinting via Grep" references = ["https://objective-see.com/blog/blog_0x4F.html"] risk_score = 47 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index fc32f00c2..c8994d36c 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Python Script Execution via Command Line" risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index aee9c12c8..b605d9064 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -45,7 +45,6 @@ This rule identifies commands that are potentially related to reverse shell acti - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", @@ -54,14 +53,13 @@ references = [ ] risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "high" tags = ["Domain: Endpoint", diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 1eea44315..788197362 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -45,7 +45,6 @@ This rule identifies a suspicious child process of the Java interpreter process. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", @@ -56,14 +55,13 @@ references = [ ] risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index fd91d3d57..56ebdb5c7 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -49,12 +49,11 @@ This rule identifies modifications in the hosts file across multiple operating s - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" -setup=""" +setup = """## Setup For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml. @@ -63,7 +62,6 @@ events will not define `event.ingested` and default fallback for EQL rules was n Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 77bc8731a..1287e9e55 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba" -setup = """ +setup = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 302d89610..55abba3f2 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -99,7 +99,6 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -108,7 +107,7 @@ references = [ ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" -setup=""" +setup = """## Setup This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 3637f507e..5b6ea5fe0 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -98,7 +98,6 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -107,7 +106,7 @@ references = [ ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" -setup=""" +setup = """## Setup This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 23147e297..3cb6742cb 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -93,7 +93,6 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -102,7 +101,7 @@ references = [ ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" -setup=""" +setup = """## Setup This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index eea7e2b26..ea456406c 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -102,7 +102,6 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -111,7 +110,7 @@ references = [ ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" -setup=""" +setup = """## Setup This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index ad889812e..8f568cefa 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -18,7 +18,8 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" -setup = """ +setup = """## Setup + The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 54fa85862..c716a31cd 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -18,7 +18,8 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity with High Confidence" -setup = """ +setup = """## Setup + The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml index ddbfc647d..0291e6813 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" name = "Potential Data Exfiltration Activity to an Unusual ISO Code" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml index 5869f295a..71f7de4c7 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_ip" name = "Potential Data Exfiltration Activity to an Unusual IP Address" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index 46d59ce21..7d5b38f04 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -18,7 +18,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_port" name = "Potential Data Exfiltration Activity to an Unusual Destination Port" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml index d0ae19319..697084409 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" name = "Potential Data Exfiltration Activity to an Unusual Region" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 4939ab053..a560d7cd2 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device" name = "Spike in Bytes Sent to an External Device" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index 08dfb784f..7a30d8d9b 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -20,7 +20,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" name = "Spike in Bytes Sent to an External Device via Airdrop" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index c32c5a0dd..cdc7a88d3 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "ded_rare_process_writing_to_external_device" name = "Unusual Process Writing Data to an External Device" -setup = """ +setup = """## Setup + The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). ### Data Exfiltration Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index f6e378e94..d6550b0d4 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -17,7 +17,8 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" -setup = """ +setup = """## Setup + The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. ### DGA Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index f4d2ab045..76e884d76 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "dga_high_sum_probability" name = "Potential DGA Activity" -setup = """ +setup = """## Setup + The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. ### DGA Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index d41d5d678..88007164d 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -17,7 +17,8 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" -setup = """ +setup = """## Setup + The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. ### DGA Detection Setup diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index ee72d046a..79e0bc018 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -17,7 +17,8 @@ index = ["logs-endpoint.events.*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" -setup = """ +setup = """## Setup + The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. ### DGA Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index 5fca06efd..57b927c85 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_process_args" name = "High Mean of Process Arguments in an RDP Session" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index b0c19887a..c88ed4a04 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_mean_rdp_session_duration" name = "High Mean of RDP Session Duration" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index f6d599d43..cec48ce96 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -20,7 +20,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" name = "Unusual Remote File Size" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index 122bf71bb..83e027be2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_var_rdp_session_duration" name = "High Variance in RDP Session Duration" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 1a4893b38..8528ef1ce 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_path_remote_transfer" name = "Unusual Remote File Directory" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 7464be19e..1e67d54e0 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -18,7 +18,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" name = "Unusual Remote File Extension" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index ee6f3f405..6717d596f 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" name = "Spike in Number of Connections Made from a Source IP" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index 3ba40da0f..e9812f200 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" name = "Spike in Number of Connections Made to a Destination IP" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index ba4442935..f9f27d852 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -18,7 +18,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" name = "Spike in Number of Processes in an RDP Session" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index fc93b20d3..23f283148 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -20,7 +20,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_high_count_remote_file_transfer" name = "Spike in Remote File Transfers" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index 5540ac4d7..8819bf40e 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -19,7 +19,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" name = "Unusual Time or Day for an RDP Session" -setup = """ +setup = """## Setup + The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. ### Lateral Movement Detection Setup diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index d280dd558..cb94c0ab0 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -60,7 +60,8 @@ references = [ ] risk_score = 73 rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd" -setup = """ +setup = """## Setup + The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ severity = "high" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml index 469b7199e..b4a302af6 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -20,7 +20,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_host" name = "Unusual Process Spawned by a Host" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index 24a7ad002..caef24727 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -20,7 +20,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_parent" name = "Unusual Process Spawned by a Parent Process" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index d27160647..f81de03f7 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -21,7 +21,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_rare_process_by_user" name = "Unusual Process Spawned by a User" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml index bc6961014..c7fc89b38 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -18,7 +18,8 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml index 63dd467db..60c5f5f8f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -18,7 +18,8 @@ index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index afe7ca2ce..4f40a2ef5 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -22,7 +22,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" name = "Suspicious Windows Process Cluster Spawned by a Host" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index ae66698f0..9af714105 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -22,7 +22,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" name = "Suspicious Windows Process Cluster Spawned by a Parent Process" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index 3be735ed3..e09edc723 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -22,7 +22,8 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" name = "Suspicious Windows Process Cluster Spawned by a User" -setup = """ +setup = """## Setup + The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. ### LotL Attack Detection Setup diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 695cc3ccd..3db9313d4 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -104,7 +104,9 @@ This rule looks for a sequence of a `cat` execution event followed by a network """ risk_score = 47 rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" -setup = """This rule requires data coming in from Elastic Defend. +setup = """## Setup + +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index b137cb290..35bd99251 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -112,7 +112,9 @@ references = [ ] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" -setup = """This rule requires data coming in from Elastic Defend. +setup = """## Setup + +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index e89c8656a..a5eee3346 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -112,7 +112,9 @@ references = [ ] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" -setup = """This rule requires data coming in from Elastic Defend. +setup = """## Setup + +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 3d37c612c..f54235fd2 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Network Activity Detected via Kworker" risk_score = 21 rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 224ca7e66..77b0be56d 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -110,7 +110,9 @@ This rule looks for a list of suspicious processes spawned through `proxychains` references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] risk_score = 21 rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" -setup = """This rule requires data coming in from Elastic Defend. +setup = """## Setup + +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 5b9df3466..07b6d3d90 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -112,7 +112,9 @@ references = [ ] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" -setup = """This rule requires data coming in from Elastic Defend. +setup = """## Setup + +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 40e8c96e0..75e542d09 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -105,7 +105,7 @@ This rule leverages the new terms rule type to detect previously unknown process """ risk_score = 21 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -166,7 +166,6 @@ Packetbeat is a real-time network packet analyzer that you can use for applicati - To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html). - For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html). - For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html). - """ severity = "low" tags = [ diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 34e0666b3..e9cf24526 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -110,7 +110,9 @@ references = [ ] risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" -setup = """This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +setup = """## Setup + +This rule requires data coming in either from Elastic Defend, or Auditbeat integration. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -145,7 +147,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 81931d4f5..2e1bf781c 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -60,7 +60,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 5387720ee..0c136e26c 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -26,7 +26,7 @@ references = [ ] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -50,7 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index e3baf2a92..71f8a6a80 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index e1020fb61..8f187c78d 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" risk_score = 47 rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 97cf8340b..ac8bfd8a5 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -55,11 +55,10 @@ In case this rule generates too much noise and external brute forcing is of not - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab" -setup = """ +setup = """## Setup This rule requires data coming in from Filebeat. @@ -78,7 +77,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "low" tags = ["Domain: Endpoint", diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index bacd6e116..1aa54307d 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -51,11 +51,10 @@ The rule identifies consecutive internal SSH login failures targeting a user acc - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" -setup = """ +setup = """## Setup This rule requires data coming in from Filebeat. @@ -74,7 +73,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index 2e26ee87f..d554c3a09 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Potential Successful Linux FTP Brute Force Attack Detected" risk_score = 47 rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Auditbeat @@ -57,7 +57,6 @@ Auditd Manager provides a user-friendly interface and automation capabilities fo Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - For this detection rule no additional audit rules are required to be added to the integration. - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 5abb8856c..cd5da35ff 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Potential Successful Linux RDP Brute Force Attack Detected" risk_score = 47 rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Auditbeat @@ -57,7 +57,6 @@ Auditd Manager provides a user-friendly interface and automation capabilities fo Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - For this detection rule no additional audit rules are required to be added to the integration. - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 54d58ed62..c14bbbaf0 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -45,11 +45,10 @@ The rule identifies consecutive SSH login failures followed by a successful logi - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 73 rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Auditbeat @@ -80,7 +79,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "high" tags = [ diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 00c31d229..ff941228c 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index c7d883179..ecc4b5932 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -64,7 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index 189995327..1c84372ed 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 644ed904f..9c21dacf1 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -55,7 +55,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 909fb3d65..ff16bb608 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -58,7 +58,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 06456d5c6..b544778af 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "System Binary Copied and/or Moved to Suspicious Directory" risk_score = 21 rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 075a03e4b..6708e4784 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -22,7 +22,7 @@ max_signals = 33 name = "File made Immutable by Chattr" risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -61,7 +61,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index dcdbb6f6d..fa8826164 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Attempt to Clear Kernel Ring Buffer" risk_score = 21 rule_id = "2724808c-ba5d-48b2-86d2-0002103df753" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 2f9bd16f4..22ae8aef1 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Disabling of AppArmor" risk_score = 21 rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index c52bcd4f8..9563bca66 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -56,7 +56,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index 9dd5d4360..d87abc4fa 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 5990b0993..9b41a3d3d 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 44701f072..308ff063e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -25,7 +25,7 @@ license = "Elastic License v2" name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -61,7 +61,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 3e2b7c395..c5ccfbfbe 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -27,7 +27,7 @@ max_signals = 33 name = "Creation of Hidden Files and Directories via CommandLine" risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -66,7 +66,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 1285d1f84..c841c28f3 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -21,7 +21,7 @@ max_signals = 33 name = "Creation of Hidden Shared Object File" risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -60,7 +60,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index dc429f25b..d4a846d10 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -27,7 +27,7 @@ name = "Kernel Module Removal" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 47 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -51,7 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 3d85ae761..536efb926 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -23,7 +23,8 @@ references = [ ] risk_score = 21 rule_id = "202829f6-0271-4e88-b882-11a655c590d4" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -47,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 66aeee81a..ca5cf9311 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -61,7 +61,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 99e950181..79e8213a6 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -27,7 +27,7 @@ references = [ ] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -51,7 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 998c1af53..bcdf77193 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -30,7 +30,7 @@ references = [ ] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -54,7 +54,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 3e92debd9..b1b0bd4e7 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index bf24c7683..7160ee85a 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index e89f5d726..ecc3d3379 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -22,7 +22,8 @@ name = "Suspicious Dynamic Linker Discovery via od" references = ["https://github.com/arget13/DDexec"] risk_score = 21 rule_id = "0369e8a6-0fa7-4e7a-961a-53180a4c966e" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a3529aad5..db29daf07 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -22,7 +22,7 @@ name = "ESXI Discovery via Find" references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 0e103587e..0e90a61c9 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -22,7 +22,7 @@ name = "ESXI Discovery via Grep" references = ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 60b1a0a8c..d6963ac33 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -26,7 +26,7 @@ license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -50,7 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index fa65290f7..c504f87c4 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -26,7 +26,7 @@ name = "Hping Process Activity" references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -62,7 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 4759b6da7..b02d6893d 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -26,7 +26,7 @@ name = "Nping Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -62,7 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index da60a1ad7..c7a655bd5 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Network Scan Executed From Host" risk_score = 47 rule_id = "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/discovery_proc_maps_read.toml b/rules/linux/discovery_proc_maps_read.toml index 54e8d4246..74f5f25c1 100644 --- a/rules/linux/discovery_proc_maps_read.toml +++ b/rules/linux/discovery_proc_maps_read.toml @@ -21,7 +21,8 @@ name = "Suspicious /proc/maps Discovery" references = ["https://github.com/arget13/DDexec"] risk_score = 21 rule_id = "2f95540c-923e-4f57-9dae-de30169c68b9" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -45,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 3bc8dec57..668d786e1 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -19,7 +19,8 @@ license = "Elastic License v2" name = "Process Capability Enumeration" risk_score = 21 rule_id = "5c351f54-4187-4ad8-abc8-29b0cfbef8b1" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -43,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index a45b05c89..3c02f0ea0 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -22,7 +22,7 @@ name = "Potential Pspy Process Monitoring Detected" references = ["https://github.com/DominicBreuker/pspy"] risk_score = 21 rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc" -setup = """ +setup = """## Setup This rule requires data coming in from Auditd Manager. @@ -45,7 +45,6 @@ Auditd Manager subscribes to the kernel and receives events as they occur withou However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - For this detection rule the following additional audit rules are required to be added to the integration: -- "-w /proc/ -p r -k audit_proc" - """ severity = "low" tags = [ diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 53e5d8016..f9719cca5 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 95e93fd6c..4b6179ebf 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" risk_score = 21 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 9c0eb17df..f865c8b89 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Unusual User Privilege Enumeration via id" risk_score = 21 rule_id = "afa135c0-a365-43ab-aa35-fd86df314a47" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 2eaaf3647..58b5f0049 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -26,7 +26,7 @@ license = "Elastic License v2" name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -62,7 +62,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 1f95a17f5..8ce081939 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -64,7 +64,6 @@ This rule identifies the creation of PID, lock, or reboot files in the /var/run/ - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", @@ -74,7 +73,7 @@ references = [ ] risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -98,7 +97,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index 701ad91cf..7829501fc 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -28,7 +28,7 @@ references = [ ] risk_score = 47 rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -65,7 +65,6 @@ In order to capture this behavior, this rule requires a specific configuration o - Click “Save”. After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 29389ee03..d6a194999 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "File Creation, Execution and Self-Deletion in Suspicious Directory" risk_score = 47 rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 1f860d513..56c2f7469 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -62,7 +62,6 @@ This rule identifies potential reverse shell or bind shell activity using Netcat - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", @@ -74,7 +73,7 @@ references = [ ] risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -110,7 +109,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index b883f27cb..370280a85 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Upgrade of Non-interactive Shell" risk_score = 47 rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" timestamp_override = "event.ingested" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 937fb7839..222521af0 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -27,7 +27,7 @@ license = "Elastic License v2" name = "Netcat Listener Established via rlwrap" risk_score = 21 rule_id = "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -52,7 +52,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index d2ace6a67..6699df0c2 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Network Connection via Recently Compiled Executable" risk_score = 47 rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index d36348aa5..35a7229b1 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -55,7 +55,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index 04a496659..bc0913d3e 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Linux Hack Tool Launched" risk_score = 47 rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" timestamp_override = "event.ingested" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 0811a8e8f..cbe81a44d 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -32,7 +32,6 @@ Detection alerts from this rule indicate a process spawned from an executable ma - Examine parent and child process relationships of the new process to determine if other processes are running. - Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" - Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. - """ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", @@ -42,7 +41,7 @@ references = [ ] risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -66,7 +65,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 8feb4087d..fa6d47407 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -32,7 +32,7 @@ references = [ ] risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -56,7 +56,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 243bf6daa..258922a1a 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" timestamp_override = "event.ingested" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index ff5fbb6cd..a102905ca 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Potential Code Execution via Postgresql" risk_score = 47 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 74de453fd..b3bef3b27 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -62,7 +62,6 @@ Initiate the incident response process based on the outcome of the triage. - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://gtfobins.github.io/gtfobins/apt/", @@ -93,7 +92,7 @@ references = [ ] risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -126,7 +125,6 @@ Session View uses process data collected by the Elastic Defend integration, but - If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. - If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index c56a6b593..24586d552 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Potential Reverse Shell via Background Process" risk_score = 47 rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" timestamp_override = "event.ingested" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index e16d6f7ae..f9d53e394 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -23,7 +23,8 @@ references = [ ] risk_score = 47 rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -48,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click Save and Continue. - To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index a64f22feb..ef459002a 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 24a5dc08a..a01e43904 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index ee8ffd010..d8400c11b 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Meterpreter Reverse Shell" risk_score = 47 rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Auditbeat @@ -57,7 +57,6 @@ However, if more advanced configuration is required to detect specific behavior, -w /proc/net/ -p r -k audit_proc -w /etc/machine-id -p wa -k machineid -w /etc/passwd -p wa -k passwd - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 5b9480d19..950f3dd98 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index e6b9d6370..cbb42cb1c 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 7b2fcad2a..cdb7c1bd3 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Auditbeat @@ -58,7 +58,6 @@ Auditd Manager provides a user-friendly interface and automation capabilities fo Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - For this detection rule no additional audit rules are required to be added to the integration. - """ severity = "medium" tags = [ diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 91fa7eb9c..0f19dd505 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index f38a877b2..f0bf64224 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Suspicious System Commands Executed by Previously Unknown Executable" risk_score = 21 rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 002a29e16..e08131a00 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" risk_score = 47 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 95ffa1af9..80dbb34e5 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 73 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index 68821691a..f2d6c9090 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index ce3e61050..8b9003468 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 4d87d7287..f88c579f2 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Suspicious File Changes Activity Detected" risk_score = 47 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 666632a68..347b2c6a5 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" risk_score = 47 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index a431d1833..dcbc680f3 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -48,11 +48,10 @@ This rule identifies a high number (10) of process terminations via pkill from t - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -76,7 +75,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d2a2d3627..d3c491280 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -20,7 +20,7 @@ name = "Potential SSH-IT SSH Worm Downloaded" references = ["https://www.thc.org/ssh-it/"] risk_score = 47 rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index b4e30fcb1..f2186f995 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -28,7 +28,7 @@ name = "Connection to External Network via Telnet" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -64,7 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 2ddb28ceb..b50c4c107 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -28,7 +28,7 @@ name = "Connection to Internal Network via Telnet" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -64,7 +64,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 2d1c6b853..16962b3ee 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" risk_score = 47 rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 77a61d5c6..13d9d6bd3 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" risk_score = 47 rule_id = "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 6d65aa620..a5905a233 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -147,7 +147,7 @@ references = [ ] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -171,7 +171,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index d04d4b2fa..d50db9ab0 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -108,7 +108,7 @@ The detection rule 'Modification of OpenSSH Binaries' is designed to identify su references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -144,7 +144,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 5c6bf2ad4..8f52ebce8 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -164,7 +164,7 @@ references = [ ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -188,7 +188,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 1489662c2..ff7bf2fbd 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -150,7 +150,7 @@ references = [ ] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -174,7 +174,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index ff8fe0723..a8f67c739 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -161,7 +161,7 @@ references = [ ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -185,7 +185,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 3581b682f..1af1b1778 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -117,7 +117,6 @@ This rule looks for the creation of new files within the `/etc/init.d/` director - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -127,7 +126,7 @@ references = [ ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -151,7 +150,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index edb055b36..866b0d000 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -121,7 +121,7 @@ references = [ ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -145,7 +145,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 5783b5cfc..34f92ac31 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -170,7 +170,7 @@ references = [ ] risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -209,7 +209,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 7db8b49d0..24f6c7291 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Kernel Driver Load by non-root User" risk_score = 47 rule_id = "ba81c182-4287-489d-af4d-8ae834b06040" -setup = """ +setup = """## Setup + This rule requires data coming in from Auditd Manager. @@ -46,7 +47,6 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule the following additional audit rules are required to be added to the integration: -- "-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules" -- "-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules" - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 460636deb..888d02384 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -162,7 +162,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click Save and Continue. - To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 2feafb7f7..947d5fe8d 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -84,11 +84,10 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -112,7 +111,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index a86662efa..077c480a7 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -79,11 +79,10 @@ This rule identifies the usages of `groupadd` and `addgroup` to create new group - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" -setup = """ +setup = """## Setup This rule requires data coming in from Filebeat. @@ -102,7 +101,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 93bda1093..eeb4603ab 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -97,7 +97,6 @@ This rule detects a web server process spawning script and command line interfac - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://pentestlab.blog/tag/web-shell/", @@ -105,7 +104,7 @@ references = [ ] risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -129,7 +128,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index b9ba48278..5fbcb8806 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -78,11 +78,10 @@ This rule identifies the usage of `useradd` and `adduser` to create new accounts - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" -setup = """ +setup = """## Setup This rule requires data coming in from Filebeat. @@ -101,7 +100,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 3ffaac7d6..a2a9e7793 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -79,11 +79,10 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -107,7 +106,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index e44a6f99f..7afb4ae59 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -114,14 +114,13 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -145,7 +144,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 3dd1a535e..4a3957d14 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -113,14 +113,13 @@ This rule identifies the execution of potentially malicious processes from a MOT - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -144,7 +143,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 5a7ba8700..ce7a4a9ae 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -96,7 +96,6 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -106,7 +105,7 @@ references = [ ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -130,7 +129,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 3f182244b..55f91e2f2 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -106,7 +106,7 @@ This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabi """ risk_score = 47 rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -130,7 +130,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 17a93037c..b9da05228 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -135,7 +135,7 @@ This rule monitors the creation of shared object files by previously unknown pro references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] risk_score = 47 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -159,7 +159,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index c6b51a971..7e63a1054 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Suspicious Network Connection via systemd" risk_score = 47 rule_id = "f3818c85-2207-4b51-8a28-d70fb156ee87" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 70f062101..02f869196 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -127,7 +127,6 @@ This rule monitors the creation of new systemd timer files, potentially indicati - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://opensource.com/article/20/7/systemd-timers", @@ -135,7 +134,7 @@ references = [ ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -159,7 +158,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 81b5454a9..a876bda25 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -163,7 +163,7 @@ references = [ ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -187,7 +187,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 7adbf37d4..b9bc99d66 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Tainted Kernel Module Load" risk_score = 21 rule_id = "05cad2fb-200c-407f-b472-02ea8c9e5e4a" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Filebeat @@ -41,7 +41,6 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - This rule requires the Filebeat System Module to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). - """ severity = "low" tags = [ diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 43df66fcd..bfacc7bb8 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -22,7 +22,7 @@ name = "Potential Unauthorized Access via Wildcard Injection Detected" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 21 rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index d8756af51..a3c1bbf7b 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -26,7 +26,7 @@ references = [ ] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -59,7 +59,6 @@ Session View uses process data collected by the Elastic Defend integration, but - If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. - If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index e563e7deb..79f680858 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -21,7 +21,8 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Linux DAC permissions" risk_score = 47 rule_id = "f7c70f2e-4616-439c-85ac-5b98415042fe" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -45,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml index 0f5b66413..17677e5b5 100644 --- a/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +++ b/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml @@ -23,7 +23,8 @@ references = [ ] risk_score = 47 rule_id = "5ae02ebc-a5de-4eac-afe6-c88de696477d" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -56,7 +57,6 @@ Session View uses process data collected by the Elastic Defend integration, but - If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. - If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 69b989103..158032e8f 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -23,7 +23,8 @@ references = [ "https://www.exploit-db.com/exploits/51180"] risk_score = 73 rule_id = "bc0fc359-68db-421e-a435-348ced7a7f92" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -47,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index c9cd5750b..bccf9b9f4 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Privilege Escalation via GDB CAP_SYS_PTRACE" risk_score = 47 rule_id = "c296f888-eac6-4543-8da5-b6abb0d3304f" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index 9487c937e..dd419df82 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Root Network Connection via GDB CAP_SYS_PTRACE" risk_score = 47 rule_id = "28bc620d-b2f7-4132-b372-f77953881d05" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -46,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 0d7a73a38..60863460f 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Suspicious Kworker UID Elevation" risk_score = 47 rule_id = "7dfaaa17-425c-4fe7-bd36-83705fde7c2b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click Save and Continue. - To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index a3ac9f18d..52c674200 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -58,7 +58,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 2300d6786..9c2bb9438 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Suspicious Symbolic Link Created" risk_score = 21 rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 3c872a384..7469dbb2f 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -24,7 +24,7 @@ references = [ "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index fc24d787f..b0b88ac0d 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -27,7 +27,7 @@ references = [ ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -51,7 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 22c1de209..adf13b4f7 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via CVE-2023-4911" references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] risk_score = 73 rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -57,7 +57,6 @@ In order to capture this behavior, this rule requires a specific configuration o - Click “Save”. After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). - """ severity = "high" tags = [ diff --git a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml index a17a47896..9dcd3eb4b 100644 --- a/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +++ b/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml @@ -20,7 +20,8 @@ license = "Elastic License v2" name = "Suspicious Network Connection via Sudo Binary" risk_score = 47 rule_id = "30e1e9f2-eb9c-439f-aff6-1e3068e99384" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -44,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 86a9899c3..4d3ba053c 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -23,7 +23,7 @@ references = [ "https://twitter.com/liadeliyahu/status/1684841527959273472"] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index e12bb1806..e8467a595 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via PKEXEC" references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"] risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml index a9ca6256e..0e9c500db 100644 --- a/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +++ b/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml @@ -19,14 +19,14 @@ license = "Elastic License v2" name = "Potential Buffer Overflow Attack Detected" risk_score = 21 rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489" -setup = """ +setup = """## Setup + This rule leverages alert data from other prebuilt detection rules to function correctly. ### Dependent Elastic Detection Rule Enablement As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled: - Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013) - """ severity = "low" tags = [ diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index 1159c6295..bd8fba540 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -22,7 +22,7 @@ name = "Potential Shell via Wildcard Injection Detected" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 47 rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 1cab6128a..b4903b3f1 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -23,7 +23,7 @@ name = "Potential Suspicious DebugFS Root Device Access" references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 844ce64fd..ff3852135 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -21,7 +21,7 @@ name = "Potential Shadow File Read via Command Line Utilities" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 00fc5f63c..488762834 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -22,7 +22,7 @@ name = "Potential Sudo Privilege Escalation via CVE-2019-14287" references = ["https://www.exploit-db.com/exploits/47502"] risk_score = 47 rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index c9d495674..d87321780 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -21,7 +21,7 @@ name = "Potential Sudo Hijacking Detected" references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 47d276124..5afea58d3 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -23,7 +23,7 @@ name = "Potential Sudo Token Manipulation via Process Injection" references = ["https://github.com/nongiach/sudo_inject"] risk_score = 47 rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 37b12bbcd..981ed2527 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Python cap_setuid" risk_score = 47 rule_id = "a0ddb77b-0318-41f0-91e4-8c1b5528834f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index d25cc2fb1..eb0e11514 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -21,7 +21,8 @@ license = "Elastic License v2" name = "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities" risk_score = 47 rule_id = "d55abdfb-5384-402b-add4-6c401501b0c3" -setup = """ +setup = """## Setup + This rule requires data coming in from Auditd Manager. @@ -45,7 +46,6 @@ However, if more advanced configuration is required to detect specific behavior, - For this detection rule the following additional audit rules are required to be added to the integration: -- "-w /etc/ -p rwxa -k audit_recursive_etc" -- "-w /root/ -p rwxa -k audit_root" - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 370716cb8..ab23c2c48 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -22,7 +22,8 @@ license = "Elastic License v2" name = "Suspicious Passwd File Event Action" risk_score = 47 rule_id = "71d6a53d-abbd-40df-afee-c21fff6aafb0" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend and Auditd Manager. @@ -67,7 +68,6 @@ Auditd Manager subscribes to the kernel and receives events as they occur withou However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - For this detection rule the following additional audit rules are required to be added to the integration: -- "-w /etc/passwd -p wa -k etcpasswd" - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index 447a4e5ff..b1bbabd85 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -21,7 +21,8 @@ license = "Elastic License v2" name = "Privilege Escalation via CAP_SETUID/SETGID Capabilities" risk_score = 47 rule_id = "9b80cb26-9966-44b5-abbf-764fbdbc3586" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -45,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index f1a4e1d5a..dea4450ad 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Recently Compiled Executable" risk_score = 47 rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 6ddfcac21..c27fcc55b 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" -setup = """ +setup = """## Setup This rule requires data coming in from one of the following integrations: - Elastic Defend @@ -60,7 +60,6 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). - """ severity = "medium" tags = [ diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 1d3ac1b99..66a4907ba 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -22,7 +22,7 @@ name = "Potential Privilege Escalation through Writable Docker Socket" references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 9adf0f9cc..484646c07 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -20,7 +20,7 @@ name = "Access of Stored Browser Credentials" references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 51e4bc2c3..e9cf08174 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 7fbcaba7b..36af1b87a 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 65af290c4..c437c128e 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -18,7 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -42,7 +42,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ references = ["https://ss64.com/osx/security.html"] risk_score = 73 diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 929b815f9..91fb75396 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 2a405a3ea..d72f058d7 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -27,7 +27,7 @@ references = [ ] risk_score = 73 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -51,7 +51,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 19aee0568..0c36c42d4 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index dc0792866..31068ac42 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -20,7 +20,7 @@ name = "Potential macOS SSH Brute Force Detected" references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"] risk_score = 47 rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 69a4fff63..5da5a6efe 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "38948d29-3d5d-42e3-8aec-be832aaaf8eb" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index b1879d37b..6c5e6cf02 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -21,7 +21,7 @@ name = "SystemKey Access via Command Line" references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"] risk_score = 73 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 355395e8e..d4ff69231 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -21,7 +21,7 @@ name = "SoftwareUpdate Preferences Modification" references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"] risk_score = 47 rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index d5842232e..5799bf840 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 8d4130657..9371e7606 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 5a945899d..d20639297 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -23,7 +23,7 @@ name = "Attempt to Install Root Certificate" references = ["https://ss64.com/osx/security-cert.html"] risk_score = 47 rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index f381d95c9..92745394d 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 5f5010f18..5323edd7f 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 88397e61c..73685fd4d 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index a59833b4e..d17b16d0b 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -21,7 +21,7 @@ name = "Modification of Safari Settings via Defaults Command" references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"] risk_score = 47 rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 4bfdbde98..5fe54a81d 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 73 rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 16db1a3a1..7b51eb138 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -21,7 +21,7 @@ name = "TCC Bypass via Mounted APFS Snapshot Access" references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] risk_score = 73 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 887202ed9..dfe03dda7 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Attempt to Unload Elastic Endpoint Security Kernel Extension" risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -40,7 +40,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 3478b4cc7..f5c71d082 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index b77a7eacd..01c2ed6cf 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 7b71c1666..c9d4f303f 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "080bc66a-5d56-4d1f-8071-817671716db9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 25b29db8f..976ec3a1e 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -33,7 +33,7 @@ references = [ ] risk_score = 47 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -57,7 +57,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index ee794d001..136bfe590 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -21,7 +21,7 @@ name = "Suspicious Automator Workflows Execution" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 47 rule_id = "5d9f8cfc-0d03-443e-a167-2b0597ce0965" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index dbce68724..b1f11d979 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "47f76567-d58a-4fed-b32b-21f571e28910" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 98b1a919a..d00b7b2ff 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 52658c44f..80805763a 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -21,7 +21,7 @@ name = "Suspicious macOS MS Office Child Process" references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"] risk_score = 47 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 7a6176e2a..5d97ac011 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -20,7 +20,7 @@ name = "Potential Kerberos Attack via Bifrost" references = ["https://github.com/its-a-feature/bifrost"] risk_score = 73 rule_id = "16904215-2c95-4ac8-bf5c-12354e047192" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 849c0da8c..226042e14 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -20,7 +20,7 @@ name = "Attempt to Mount SMB Share via Command Line" references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"] risk_score = 21 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 21664c28c..3e6f70a97 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -21,7 +21,7 @@ references = [ ] risk_score = 47 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index e18d5b708..f54ba8e70 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 21 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 3b6b5c305..841b7e479 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -20,7 +20,7 @@ name = "Potential Hidden Local User Account Creation" references = ["https://support.apple.com/en-us/HT203998"] risk_score = 47 rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 2c567f959..1b0f3cb86 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 21 rule_id = "082e3f8c-6f80-485c-91eb-5b112cb79b28" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index c09c22db6..776e53467 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -43,7 +43,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 1084d127f..a6aeb4b28 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 21 rule_id = "9d19ece6-c20e-481a-90c5-ccca596537de" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 16ccd92d7..54ba3babb 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 3bca30d7c..d0f9b622d 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "530178da-92ea-43ce-94c2-8877a826783d" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 90d42e8a4..dde96a35b 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index e9b8249c6..182980687 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -21,7 +21,7 @@ name = "Persistence via DirectoryService Plugin Modification" references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"] risk_score = 47 rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 840b34a05..4e23067e7 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index fe083ffd4..98d49da56 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 14a539657..54d9a2796 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -21,7 +21,7 @@ name = "Suspicious Emond Child Process" references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 523a16a60..071bdeec6 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -20,7 +20,7 @@ name = "Attempt to Enable the Root Account" references = ["https://ss64.com/osx/dsenableroot.html"] risk_score = 47 rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 725a73339..91ca171a5 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -46,7 +46,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 39c7c9641..629af7b05 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 662cf203c..ba000b092 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -21,7 +21,7 @@ name = "Persistence via Folder Action Script" references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"] risk_score = 47 rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -45,7 +45,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 460172170..27b66280d 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 9c0214052..feaefc0e4 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -23,7 +23,7 @@ Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be r references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"] risk_score = 47 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index bb6ec0af5..2a42dcc35 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -20,7 +20,7 @@ name = "Sublime Plugin or Application Script Modification" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 452a6edf5..b27ce05a7 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 21 rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index aefbe44d6..7509ec421 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -25,7 +25,6 @@ note = """## Triage and analysis as a download of a payload from a server. - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to identify whether the file is malicious or not. - """ references = [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", @@ -33,7 +32,7 @@ references = [ ] risk_score = 47 rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -57,7 +56,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index cee7f8fbd..09eaadca5 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -23,7 +23,6 @@ note = """## Triage and analysis - Analyze the plist file modification event to identify whether the change was expected or not - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host - """ references = [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", @@ -31,7 +30,7 @@ references = [ ] risk_score = 47 rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -55,7 +54,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index d8499a327..11859698a 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -49,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 5fdc2f48c..47d8aa87a 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 21 rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 361420756..036117e2a 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -20,7 +20,7 @@ name = "Apple Scripting Execution with Administrator Privileges" references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5ea08419d..5cd2ed8d6 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 6f3c7ecb4..62f86ac76 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -48,7 +48,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = [ diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 66d39ea18..a678ff63e 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -20,7 +20,7 @@ name = "Potential Admin Group Account Addition" references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"] risk_score = 47 rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -44,7 +44,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 8e7f94f37..619fe2872 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01" -setup = """ +setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -47,7 +47,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 0621e9acd..a4c2973f8 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -58,7 +58,6 @@ Attackers can abuse this functionality in preparation for exfiltrating contents, - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", @@ -66,7 +65,7 @@ references = [ ] risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 3e08d0f6e..6442808d0 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -52,15 +52,14 @@ Attackers can use PowerShell to interact with the Windows API with the intent of - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"] risk_score = 47 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index 00ac625f4..713501b8e 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -54,7 +54,6 @@ Attackers can abuse PowerShell capabilities to get the contents of the clipboard - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", @@ -62,10 +61,10 @@ references = [ ] risk_score = 47 rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 20d033f2b..40b2eec01 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -54,7 +54,6 @@ Attackers can abuse PowerShell capabilities to capture user keystrokes with the - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", @@ -62,10 +61,10 @@ references = [ ] risk_score = 47 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 7846029f4..37104cac0 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -55,7 +55,6 @@ This rule identifies scripts that contains methods and classes that can be abuse - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", @@ -63,10 +62,10 @@ references = [ ] risk_score = 47 rule_id = "a2d04374-187c-4fd9-b513-3ad4e7fdd67a" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 9fc9c9127..076d9e759 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -53,15 +53,14 @@ Attackers can abuse PowerShell capabilities and take screen captures of desktops - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"] risk_score = 47 rule_id = "959a7353-1129-4aa7-9084-30746b256a70" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/collection_posh_webcam_video_capture.toml b/rules/windows/collection_posh_webcam_video_capture.toml index 538b1cc3f..f79cd9779 100644 --- a/rules/windows/collection_posh_webcam_video_capture.toml +++ b/rules/windows/collection_posh_webcam_video_capture.toml @@ -20,7 +20,8 @@ name = "PowerShell Script with Webcam Video Capture Capabilities" references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] risk_score = 47 rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index cddc0e844..4fa0d4903 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -48,13 +48,11 @@ These steps are usually done in preparation for exfiltration, meaning the attack - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index a1a30da97..326cf7f8a 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 8f966609c..ea877f076 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -57,15 +57,13 @@ This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Service - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", ] risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 6a0ca0440..fd430c63d 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -50,13 +50,11 @@ This rule looks for command lines involving the `3389` port, which RDP uses by d - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"] risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 50ff497ab..9e0616f7e 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -131,13 +131,11 @@ The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop i - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"] risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 9345fb896..673465a0c 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -126,7 +126,6 @@ The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used t - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -134,7 +133,7 @@ references = [ ] risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 364a9fdb8..dff65c7a2 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -89,13 +89,11 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index db0ed4795..9aa5d6bcc 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -92,12 +92,11 @@ This rule identifies potential password guessing/brute force activity from a sin - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "f9790abf-bd0c-45f9-8b5f-d0b74015e029" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 555655711..bb4785687 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -96,12 +96,11 @@ This rule identifies potential password guessing/brute force activity from a sin - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index e4d0a5ffc..89a616fff 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -96,7 +96,6 @@ This rule identifies potential password guessing/brute force activity from a sin - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -106,7 +105,7 @@ references = [ ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" -setup=""" +setup = """## Setup - In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 519816012..47a7d6b6a 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -50,12 +50,11 @@ This rule looks for the execution of utilities that can extract credential data - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://lolbas-project.github.io/"] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 57a2012e6..790d08d45 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -106,7 +106,7 @@ references = [ ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 941dbee3b..920ae2202 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -54,7 +54,6 @@ This rule monitors for when a Windows Event ID 4662 (Operation was performed on - Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", @@ -66,7 +65,7 @@ references = [ ] risk_score = 73 rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" -setup=""" +setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 2d2a80f89..d5123d71f 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -54,7 +54,6 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc - Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", @@ -66,7 +65,7 @@ references = [ ] risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" -setup=""" +setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 88a222227..0d845d464 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -45,7 +45,6 @@ AS-REP roasting is an attack against Kerberos for user accounts that do not requ - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", @@ -54,7 +53,7 @@ references = [ ] risk_score = 47 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" -setup=""" +setup = """## Setup The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 9c694a6a0..1d4b4510c 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -20,7 +20,6 @@ name = "Creation or Modification of Domain Backup DPAPI private key" note = """## Triage and analysis Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. - """ references = [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", @@ -28,7 +27,7 @@ references = [ ] risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 9326a51e8..e983b3ecd 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -52,7 +52,6 @@ This rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, w - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", @@ -60,7 +59,7 @@ references = [ ] risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 9cf10e51c..63a2a3985 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -21,7 +21,7 @@ name = "Microsoft IIS Service Account Password Dumped" references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index c170a7091..72dc226aa 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 4c4471cb9..040c2bdc3 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -100,11 +100,10 @@ Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` proce - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index f4e5730c8..748600024 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" -setup = """ +setup = """## Setup The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 8b5579977..6a8117067 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -21,7 +21,7 @@ name = "Suspicious LSASS Access via MalSecLogon" references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 5232fa701..833caabfc 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index e76d113f0..1dbbfc726 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -94,12 +94,11 @@ This rule looks for the creation of memory dump files with file names compatible - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"] risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 031caee24..955bd4997 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -96,7 +96,6 @@ Adversaries may attempt to access credential material stored in LSASS process me - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -108,7 +107,7 @@ references = [ ] risk_score = 73 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" -setup=""" +setup = """## Setup Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f1bb4e0f7..94214a118 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -54,12 +54,11 @@ This rule looks for the creation of a file named `mimilsa.log`, which is generat - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 8a105168d..43c6855a8 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -63,7 +63,6 @@ More information about Mimikatz components and how to detect/prevent them can be - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://attack.mitre.org/software/S0002/", @@ -72,11 +71,11 @@ references = [ ] risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 680a532e6..97ffbf93c 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -61,7 +61,6 @@ Still, attackers can force WDigest to store the passwords insecurely on the memo - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", @@ -71,7 +70,7 @@ references = [ ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index b0b9585a6..30f68c476 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -67,7 +67,7 @@ references = [ ] risk_score = 47 rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" -setup = """ +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 5b6e4abf1..ce3f0e998 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -53,7 +53,6 @@ Attackers can abuse Process Memory Dump capabilities to extract credentials from - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", @@ -62,10 +61,10 @@ references = [ ] risk_score = 73 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 65fc728d4..6086f78ad 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -50,7 +50,6 @@ Attackers can use PowerShell to request these Kerberos tickets, with the intent - Isolate the involved hosts to prevent further post-compromise behavior. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://cobalt.io/blog/kerberoast-attack-techniques", @@ -58,10 +57,10 @@ references = [ ] risk_score = 47 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 82c05f660..16c4b3eaa 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -20,7 +20,7 @@ name = "Potential Credential Access via DuplicateHandle in LSASS" references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index f9dde3bf8..7107bdc79 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -51,7 +51,6 @@ Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry - Reimage the host operating system or restore the compromised files to clean versions. - Ensure that the machine has the latest security updates and is not running unsupported Windows versions. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", @@ -59,7 +58,7 @@ references = [ ] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" -setup=""" +setup = """## Setup This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 725523a49..73620d2f3 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 898e1f7fe..700f5027c 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -25,7 +25,7 @@ references = [ ] risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index cb2e9af8a..85a166a85 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -51,7 +51,6 @@ It is critical to control the assignment of this privilege. A user with this pri - Review the privileges of the administrator account that performed the action. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", @@ -62,7 +61,7 @@ references = [ ] risk_score = 73 rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" -setup=""" +setup = """## Setup The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index c9959825c..ae9a46865 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -54,7 +54,6 @@ Attackers with write privileges on this attribute over an object can abuse it to - Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", @@ -64,7 +63,7 @@ references = [ ] risk_score = 73 rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" -setup=""" +setup = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 899a7184c..0825930bd 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -51,7 +51,6 @@ Attackers can also perform "Targeted Kerberoasting", which consists of adding fa - Isolate the involved hosts to prevent further post-compromise behavior. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", @@ -63,7 +62,7 @@ references = [ ] risk_score = 73 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" -setup=""" +setup = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index e5bf9b49c..2c2c0792d 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -108,7 +108,7 @@ This rule identifies suspicious instances of rundll32.exe loading a renamed COMS references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"] risk_score = 73 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef" -setup = """ +setup = """## Setup You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original File Name. diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 189c8834e..f9434737f 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -19,7 +19,8 @@ name = "Suspicious Lsass Process Access" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" -setup = """ +setup = """## Setup + If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 04bb7f0d5..e80ab4c5d 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index d3c14edce..7673543ca 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" -setup = """ +setup = """## Setup This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold rule cardinality feature. diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index c1e1398cd..6e9b8c90f 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -47,7 +47,6 @@ This rule identifies remote access to the registry using an account with Backup - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/mpgn/BackupOperatorToDA", @@ -56,10 +55,10 @@ references = [ ] risk_score = 47 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" -setup=""" +setup = """## Setup The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > @@ -72,7 +71,7 @@ Audit Detailed File Share (Success) ``` The 'Special Logon' audit policy must be configured (Success). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 866dd6206..280d5de5d 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -55,7 +55,6 @@ Shadow copies are backups or snapshots of an endpoint's files or volumes while t - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", @@ -65,7 +64,7 @@ references = [ ] risk_score = 47 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" -setup=""" +setup = """## Setup Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 44fa933a5..cb5a37c87 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" -setup = """ +setup = """## Setup This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 713554bfa..096dbb093 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -66,7 +66,6 @@ This rule monitors the modifications to the Software\\Microsoft\\Windows Script\ - Delete or set the key to its default value. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", @@ -74,7 +73,7 @@ references = [ ] risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index e40f04161..8f547a0de 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -47,7 +47,6 @@ Attackers can try to cover their tracks by clearing PowerShell console history. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. - """ references = [ "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", @@ -56,7 +55,7 @@ references = [ ] risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 9e8d1f529..e5fe7f7dd 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -48,11 +48,10 @@ This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-Ev - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 196f03e1b..e7c99cc2d 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -63,7 +63,6 @@ This rule identifies the creation or modification of a root certificate by monit - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", @@ -71,7 +70,7 @@ references = [ ] risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 41dabfb1b..90d3f9d0c 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -53,12 +53,11 @@ This rule monitors the registry for configurations that disable Windows Defender - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 68c94907a..eb976f331 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -63,14 +63,13 @@ Microsoft Windows Defender is an antivirus product built into Microsoft Windows. - Exclusion lists for antimalware capabilities should always be routinely monitored for review. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 97ce1fc16..7c27e1ac7 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -46,11 +46,10 @@ This rule identifies patterns related to disabling the Windows firewall or its r - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 86cb361e1..7a232c0a1 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -51,14 +51,13 @@ This rule monitors the execution of commands that can tamper the Windows Defende - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index fed450861..a50bb79f5 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -47,7 +47,6 @@ This rule looks for the usage of different utilities to disable the EventLog ser - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", @@ -55,7 +54,7 @@ references = [ ] risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index d2e57afe8..159c2ed76 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 21 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 61a1ad7c7..382d5f218 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious .NET Code Compilation" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 227bf31ce..0d7a3c10f 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -52,11 +52,10 @@ This rule detects the creation of a Windows Firewall inbound rule that would all - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index d0d5927b4..f6b48f1fd 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -48,11 +48,10 @@ Attackers can enable Network Discovery on the Windows firewall to find other sys - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 990318c2e..8ce79e928 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -20,7 +20,7 @@ name = "Control Panel Process with Unusual Arguments" references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 55597604d..d29d15209 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -96,7 +96,7 @@ This rule identifies potential abuse for code execution by monitoring for specif references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index e626be02a..2528500d7 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -72,12 +72,11 @@ This rule looks for the `Msbuild.exe` utility spawned by MS Office programs. Thi - Remove emails from the sender from mailboxes. - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index ab0090d54..a89f2b1df 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 6e2ded627..f6eae5396 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index d5a420922..1b69626b1 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -93,11 +93,10 @@ This rule checks for renamed instances of MSBuild, which can indicate an attempt - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index b7d8acd9c..aac75e2e2 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -26,7 +26,7 @@ name = "Microsoft Build Engine Started an Unusual Process" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 6f225628d..9c3b9b634 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential DLL Side-Loading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 947f179c3..adae580df 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 2cea69c4c..3a12768c8 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 9608d384b..b34cf79fa 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -99,7 +99,7 @@ This rule identifies processes that are executed from suspicious default Windows """ risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 2479e6e97..bcda352bb 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -51,11 +51,10 @@ This rule monitors commands that disable IIS logging. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index e3ffd906e..2a07bcffd 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index f89ab8060..04b3cc2ac 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -92,11 +92,10 @@ This rule checks for renamed instances of AutoIt, which can indicate an attempt - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 89db66023..e669d9d22 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -26,7 +26,7 @@ references = [ ] risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 0e9d81507..379a198b8 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Program Files Directory Masquerading" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 28e126147..6c51bbad0 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -54,7 +54,6 @@ This rule monitors the registry for modifications that disable Windows Defender - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", @@ -68,7 +67,7 @@ references = [ ] risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index f0adc54b4..db501f184 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -64,12 +64,10 @@ This rule looks for registry changes affecting the conditions above. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 210b97f19..f3b8f9389 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -101,15 +101,14 @@ Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"] risk_score = 47 rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index ea3c5c53b..7e2a292ea 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -102,14 +102,13 @@ Attackers can embed compressed and encoded payloads in scripts to load directly - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 4eb1d0cb0..915c8255e 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -55,7 +55,6 @@ Red Team tooling and malware developers take advantage of these capabilities to - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", @@ -65,10 +64,10 @@ references = [ ] risk_score = 47 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 42ca4b25d..777b4f437 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -56,7 +56,6 @@ This rule identifies patterns related to disabling the Windows firewall or its r - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", @@ -66,7 +65,7 @@ references = [ ] risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index df9720034..ade9403c9 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 22cfee419..a09dff277 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -21,7 +21,7 @@ name = "Scheduled Tasks AT Command Enabled" references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 82893f451..6380cfef1 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index dd3fe6054..122d8881b 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 261c92064..828a88880 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -97,7 +97,6 @@ This rule identifies suspicious process access events from an unknown memory reg - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://twitter.com/SBousseaden/status/1278013896440324096", @@ -105,7 +104,7 @@ references = [ ] risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 9f35c66e0..d6bf790e6 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -92,11 +92,10 @@ This rule looks for the creation of executable files done by system-critical pro - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 347503504..c681b21d1 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Unsigned DLL Side-Loading from a Suspicious Folder" risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index f0d6f96bc..de7dd47a1 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -98,11 +98,10 @@ Attackers can abuse these alternate data streams to hide malicious files, string - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index f74305fd0..4436f093f 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index ad01f23b5..0725c6240 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 20e7e70cb..1e91be8a4 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -27,7 +27,7 @@ references = [ ] risk_score = 47 rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc" -setup=""" +setup = """## Setup The 'Filtering Platform Connection' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 13261e73d..d7151581b 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -47,7 +47,6 @@ disk from a separate binary. - If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation. - Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders. - Confirm with the user whether this was expected or not, and reset their password. - """ references = [ "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", @@ -56,7 +55,7 @@ references = [ ] risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index c36e70533..8ea56999d 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -52,7 +52,6 @@ note = """## Triage and analysis - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "http://www.joeware.net/freetools/tools/adfind/", @@ -64,7 +63,7 @@ references = [ ] risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index d4af75b94..1926238ed 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -48,11 +48,10 @@ This rule looks for the execution of the `net` and `wmic` utilities to enumerate - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 248c6ad92..36af20ef5 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -45,11 +45,10 @@ This rule looks for the execution of account discovery utilities using the SYSTE - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - Use the data collected through the analysis to investigate other machines affected in the environment. - """ risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index e79a17c2b..df467a409 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -45,11 +45,10 @@ This rule looks for the execution of the `fsutil` utility with the `fsinfo` subc - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index c5f92588f..647e07c1b 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -49,7 +49,6 @@ Attackers can use PowerShell to enumerate shares to search for sensitive data li - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", @@ -58,11 +57,11 @@ references = [ ] risk_score = 47 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 42bd18ef4..2bf72aeb6 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -52,7 +52,6 @@ Attackers can use PowerShell to interact with the Win32 API to bypass command li - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", @@ -60,10 +59,10 @@ references = [ ] risk_score = 47 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 43db99e4f..3030ce0a3 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -87,14 +87,13 @@ This rule looks for the enumeration of privileged local groups' membership by su - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" -setup=""" +setup = """## Setup The 'Audit Security Group Management' audit policy must be configured (Success). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 110e0f014..7dc4a997a 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -54,11 +54,10 @@ This rule looks for the execution of the `whoami` utility. Attackers commonly us - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 6ab39799f..099dd384a 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index ea57c3c8b..afe8dd14c 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index c503a2871..632d00edc 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 69b930cb2..737f04547 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -88,14 +88,13 @@ This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747", ] risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 7f7664d35..ca1bc7cbb 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index f305b49fb..518636a6f 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 9cd5edf52..eebaef1f1 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index f53e68dba..aab63bc38 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -93,11 +93,10 @@ This rule looks for the execution of scripts from unusual directories. Attackers - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 39a2881b5..2fb23ac26 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -113,10 +113,10 @@ references = [ ] risk_score = 47 rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" -setup = """ +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index feefe8279..680a68158 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -100,17 +100,16 @@ Attackers can abuse PowerShell in-memory capabilities to inject executables into - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", ] risk_score = 47 rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index a5332cf2d..32693d758 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -109,7 +109,6 @@ Detecting the core implementation of PSReflect means detecting most of the tooli - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", @@ -117,11 +116,11 @@ references = [ ] risk_score = 47 rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" -setup=""" +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index ae4376814..172e76a70 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -21,12 +21,11 @@ name = "Execution via local SxS Shared Module" note = """## Triage and analysis The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory. - """ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 523272517..954093a05 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index df7c585b5..57a3f2ebc 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 4fa9bc8e8..014c6ec5b 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -64,11 +64,10 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p - Remove emails from the sender from mailboxes. - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 5b29e6018..964813ffd 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -47,11 +47,10 @@ This rule identifies instances where the PsExec service component is executed us - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index b2055e51e..7557b4ec7 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -107,11 +107,10 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 0b3d4e314..a470bba85 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -64,14 +64,13 @@ Attackers often rely on custom shell implementations to avoid using built-in com - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html", ] risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 818ea118f..b6af9f534 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -58,12 +58,11 @@ This rule identifies file deletions performed by a process that does not belong - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"] risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 383ad79ed..d9f8a5ec1 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -55,11 +55,10 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe` - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index eff922231..9685dc95a 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -55,11 +55,10 @@ These are common steps in destructive attacks by adversaries leveraging ransomwa - If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index f796bff57..cd3dd590d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -73,12 +73,10 @@ This rule monitors the execution of Vssadmin.exe to either delete or resize shad - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 9362ffe1d..38f888711 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -72,8 +72,6 @@ This rule monitors the execution of PowerShell cmdlets to interact with the Win3 - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", @@ -82,7 +80,7 @@ references = [ ] risk_score = 73 rule_id = "d99a037b-c8e2-47a5-97b9-170d076827c4" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 53312c4d5..cf610f4b4 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -73,12 +73,10 @@ This rule monitors the execution of `wmic.exe` to interact with VSS via the `sha - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index a02c75d86..cef0db532 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious HTML File Creation" risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 21197140c..bd7e5ba9e 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -66,11 +66,10 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 95aa2b45c..0620ed49d 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -35,8 +35,6 @@ Positive hits can be checked against the established Microsoft [baselines](https Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support [repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) - - """ references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", @@ -44,7 +42,7 @@ references = [ ] risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 2d843c186..325e488c4 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -29,7 +29,7 @@ references = [ ] risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 70c33993e..c12e88d6c 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 03c31133d..580e6a739 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -64,12 +64,11 @@ This rule looks for suspicious processes spawned by MS Office programs. This is - Remove emails from the sender from mailboxes. - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c3d73e655..9b31a0714 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -63,11 +63,10 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the - Remove emails from the sender from mailboxes. - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 51ea424cb..681cf0ad7 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Explorer Child Process" risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index daae98184..f2608722f 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index f102377f4..19f21ad70 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -20,7 +20,7 @@ name = "Execution via TSClient Mountpoint" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 1baafe790..248ef5d84 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 48f354d78..173ec089d 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -52,11 +52,10 @@ This rule detects modification of the fDenyTSConnections registry key to the val - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 4457e665b..af47cff8c 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 92379f276..6ea088591 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -20,7 +20,7 @@ name = "Suspicious RDP ActiveX Client Loaded" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index b8fdd20d2..926af822b 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -59,7 +59,6 @@ This rule looks for unusual children of the `dns.exe` process, which can indicat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -69,7 +68,7 @@ references = [ ] risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6fecab4ef..38f219ea0 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -23,7 +23,6 @@ note = """## Triage and analysis Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: - Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. - Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. - """ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -32,7 +31,7 @@ references = [ ] risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 1e426b444..3bd9c8f0c 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -20,7 +20,7 @@ name = "Lateral Movement via Startup Folder" references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7838d792e..f46644e82 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -88,13 +88,11 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 75bf2e6b4..2eae878d3 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 82fdd0a2a..890c20797 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -106,11 +106,10 @@ This rule identifies modifications on the AppInit registry keys. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 477e00059..e0c1c2bfb 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -44,7 +44,6 @@ This rule uses registry events to identify the creation of local hidden accounts - Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", @@ -52,7 +51,7 @@ references = [ ] risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 03467d735..ccbf7600b 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" risk_score = 47 rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 04c7bc0fd..a6d3e1ee0 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -17,7 +17,7 @@ name = "Persistence via Microsoft Office AddIns" references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] risk_score = 73 rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 206add36a..29767df94 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -21,7 +21,7 @@ references = [ ] risk_score = 47 rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 8923d0a01..8d7e3af7c 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82" -setup = """ +setup = """## Setup The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index e6a1023d6..1ceb3ea52 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index a7ea05797..7d836d5eb 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -97,13 +97,11 @@ This rule looks for the execution of supposed accessibility binaries that don't - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"] risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d90dffa95..396217ba5 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -57,7 +57,6 @@ This rule matches changes of the dsHeuristics object where the 16th bit is set t - The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", @@ -65,7 +64,7 @@ references = [ ] risk_score = 73 rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" -setup=""" +setup = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index e9155f188..cb93bd502 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -98,12 +98,11 @@ This rule monitors for commonly abused processes writing to the Startup folder l - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 94a4abcac..0908d94fb 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -98,11 +98,10 @@ This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs s - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 4a92037eb..ed6feb2a6 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -57,15 +57,13 @@ Adversaries can insert malicious code that can be executed in place of legitimat - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - - """ references = [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", ] risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 3603377cd..df8e8bb41 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -115,7 +115,7 @@ references = [ ] risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 2d576ba34..69dd0de0f 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 31bb0ed4c..a9bf18fa9 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -46,14 +46,13 @@ This rule monitors events related to a user being added to a privileged group. - Review the privileges of the administrator account that performed the action. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", ] risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 17543b815..f0a124cdb 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -49,11 +49,10 @@ This rule identifies the usage of `net.exe` to create new accounts. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 7d3490ee7..119b62d02 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index ae13526f9..d7e072c7a 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -26,7 +26,7 @@ references = [ ] risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index e6f3e68bc..8d3f3c24d 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 5210976fa..76e52714e 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Installation of Security Support Provider" risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 7642c76dd..88221ecdb 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -22,7 +22,7 @@ references = [ ] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index e3fb55d7f..ac07a6793 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -94,12 +94,11 @@ This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 13df16250..a5add5131 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -21,7 +21,7 @@ name = "Persistence via WMI Event Subscription" references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 230c794dd..60edb5176 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -49,12 +49,11 @@ The xp_cmdshell procedure is disabled by default, but when used, it has the same - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"] risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 1d7fdbc1f..9d192e597 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -62,7 +62,6 @@ This rule detects a web server process spawning script and command-line interfac - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", @@ -71,7 +70,7 @@ references = [ ] risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index d7e296770..9f6d7a2e6 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -20,7 +20,7 @@ name = "Process Creation via Secondary Logon" references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 47 rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" -setup = """ +setup = """## Setup Audit events 4624 and 4688 are needed to trigger this rule. diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 12815587f..154f98b3d 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -26,7 +26,7 @@ references = [ ] risk_score = 47 rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313" -setup = """ +setup = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index b41831b47..d3f12ded6 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -65,7 +65,6 @@ Attackers may disable UAC to execute code directly in high integrity. This rule - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.greyhathacker.net/?p=796", @@ -74,7 +73,7 @@ references = [ ] risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index d75d04dc7..73033d41d 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 03e63828a..e7e5d9fdd 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -46,7 +46,6 @@ Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily lar - Check if other GPOs have suspicious scripts attached. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -55,10 +54,10 @@ references = [ ] risk_score = 47 rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" -setup=""" +setup = """## Setup The 'Audit Detailed File Share' audit policy must be configured (Success Failure). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > @@ -72,7 +71,7 @@ Audit Detailed File Share (Success,Failure) ``` The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index c0151d2cf..ba092d3ff 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -43,7 +43,6 @@ Group Policy Objects (GPOs) can be used to add rights and/or modify Group Member - The investigation and containment must be performed in every computer controlled by the GPO, where necessary. - Remove the script from the GPO. - Check if other GPOs have suspicious scripts attached. - """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -51,10 +50,10 @@ references = [ ] risk_score = 73 rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" -setup=""" +setup = """## Setup The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index b533356e4..f40348e6c 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -46,7 +46,6 @@ Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks - Check if other GPOs have suspicious scheduled tasks attached. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", @@ -57,10 +56,10 @@ references = [ ] risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" -setup=""" +setup = """## Setup The 'Audit Detailed File Share' audit policy must be configured (Success Failure). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > @@ -74,7 +73,7 @@ Audit Detailed File Share (Success,Failure) ``` The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index aedadd0d9..31d208f64 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -97,12 +97,11 @@ This rule detects the default execution of the PoC, which overwrites the `elevat - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_make_token_local.toml b/rules/windows/privilege_escalation_make_token_local.toml index 1d7c3bc6f..9ee903cf9 100644 --- a/rules/windows/privilege_escalation_make_token_local.toml +++ b/rules/windows/privilege_escalation_make_token_local.toml @@ -20,7 +20,7 @@ name = "Interactive Logon by an Unusual Process" references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 73 rule_id = "61766ef9-48a5-4247-ad74-3349de7eb2ad" -setup = """ +setup = """## Setup Audit event 4624 is needed to trigger this rule. diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 5e40617e4..ce0557bc1 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -92,7 +92,6 @@ Attackers can abuse named pipes to elevate their privileges by impersonating the - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", @@ -101,7 +100,7 @@ references = [ ] risk_score = 73 rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 15d3550ba..f901fd21d 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -57,7 +57,6 @@ Attackers can execute malicious code by abusing missing modules that processes t - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", @@ -69,7 +68,7 @@ references = [ ] risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index a2b91ad89..ca32b1edf 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -105,7 +105,7 @@ Adversaries can abuse PowerShell to perform token impersonation, which involves The 'PowerShell Script Block Logging' logging policy must be configured (Enable). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index ef09d3233..52577860e 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 16532fc2b..260ae5b56 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -26,7 +26,7 @@ name = "Suspicious Print Spooler File Deletion" references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 947c9d815..c8c7770e3 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -95,12 +95,11 @@ The Print Spooler service has some known vulnerabilities that attackers can abus - Ensure that the machine has the latest security updates and is not running legacy Windows versions. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] risk_score = 47 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index dc66b880f..818894d17 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -27,7 +27,8 @@ references = [ ] risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" -setup = """ +setup = """## Setup + If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 3a60368ab..842ee2320 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -23,11 +23,11 @@ references = [ ] risk_score = 47 rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd" -setup = """ +setup = """## Setup Windows Event 4703 logs Token Privileges changes and need to be configured (Enable). -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 0e02fe253..c10eaf34c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -20,7 +20,7 @@ name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 59cf5a1d6..028b36f84 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -20,7 +20,7 @@ name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index aff8e1426..0ad1aa708 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index b647df7f1..0a6d7e6f9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 011e7e4a8..7403d4de0 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -23,7 +23,7 @@ references = [ ] risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index fb2d5635c..36e9b3cad 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -96,11 +96,10 @@ During startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\ - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 73 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 862cf641f..710863ad2 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -95,12 +95,11 @@ This rule identifies an attempt to bypass User Account Control (UAC) by masquera - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"] risk_score = 73 rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 7e37e68ae..da6a36e72 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -95,12 +95,11 @@ This rule identifies attempts to bypass User Account Control (UAC) by hijacking - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 993fc9d42..39af881e7 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -92,7 +92,6 @@ This rule uses this information to spot suspicious parent and child processes. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -100,7 +99,7 @@ references = [ ] risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" -setup=""" +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index b8c6601f2..977861321 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -26,7 +26,7 @@ name = "Unusual Print Spooler Child Process" references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index ce04dc355..67de08048 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index a06bc25ca..90ecb3c3f 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -24,7 +24,7 @@ references = [ ] risk_score = 73 rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241" -setup = """ +setup = """## Setup Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: `condition equal "contains" and keyword equal "pipe"` diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 38111e87c..dd6e0e06f 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -25,10 +25,10 @@ references = [ ] risk_score = 73 rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" -setup = """ +setup = """## Setup The 'Audit Security System Extension' logging policy must be configured for (Success) -Steps to implement the logging policy with with Advanced Audit Configuration: +Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 5934fb60f..3cbddfb97 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -21,7 +21,8 @@ license = "Elastic License v2" name = "PowerShell Script with Archive Compression Capabilities" risk_score = 21 rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index db94b7608..7d06ec62c 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -24,7 +24,8 @@ references = [ ] risk_score = 21 rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index 771e1703d..da0f2028a 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -21,7 +21,8 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "WRITEDAC Access on Active Directory Object" -setup = """ +setup = """## Setup + The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml index c650521a1..285fc36bc 100644 --- a/rules_building_block/discovery_capnetraw_capability.toml +++ b/rules_building_block/discovery_capnetraw_capability.toml @@ -25,7 +25,8 @@ license = "Elastic License v2" name = "Network Traffic Capture via CAP_NET_RAW" risk_score = 21 rule_id = "e28b8093-833b-4eda-b877-0873d134cf3c" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -49,7 +50,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 734988914..c9ed63807 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -45,18 +45,16 @@ This rule identifies commands to enumerate system information, files, and folder - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "low" tags = ["Domain: Endpoint", diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index c54b74ec3..d351ec77f 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -28,7 +28,7 @@ license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" risk_score = 21 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" -setup = """ +setup = """## Setup This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. ``` diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 6f4ea6c16..e58678343 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -22,7 +22,7 @@ license = "Elastic License v2" name = "Suspicious Modprobe File Event" risk_score = 21 rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" -setup = """ +setup = """## Setup This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 64bcb2ef6..e02b8d697 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Suspicious Sysctl File Event" risk_score = 21 rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" -setup = """ +setup = """## Setup This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index e606e5d26..17292d7cd 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -43,18 +43,16 @@ This rule looks for the execution of the `net` utility to enumerate servers in t - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 8614a5702..0e5e732e1 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -21,7 +21,8 @@ license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" risk_score = 21 rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index b2021ba7c..366c86608 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -20,7 +20,8 @@ license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" risk_score = 21 rule_id = "fe25d5bc-01fa-494a-95ff-535c29cc4c96" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 1454333cb..772caf9ee 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -43,18 +43,16 @@ This rule looks for the execution of the `arp` or `nbstat` utilities to enumerat - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "low" tags = ["Domain: Endpoint", diff --git a/rules_building_block/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml index abb504d6b..423a95148 100644 --- a/rules_building_block/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -45,18 +45,16 @@ This rule looks for the execution of the `wmic` utility with arguments compatibl - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - """ risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" -setup = """ +setup = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate `event.ingested` to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html - """ severity = "medium" tags = ["Domain: Endpoint", diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index fa9b087ee..58422eaad 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" risk_score = 21 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" -setup = """ +setup = """## Setup This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. diff --git a/rules_building_block/execution_downloaded_shortcut_files.toml b/rules_building_block/execution_downloaded_shortcut_files.toml index 259534f12..a3ea88510 100644 --- a/rules_building_block/execution_downloaded_shortcut_files.toml +++ b/rules_building_block/execution_downloaded_shortcut_files.toml @@ -11,7 +11,6 @@ author = ["Elastic"] description = """ Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. - """ from = "now-119m" interval = "60m" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index b702c5868..f7088979c 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -25,7 +25,8 @@ references = [ ] risk_score = 21 rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" -setup = """ +setup = """## Setup + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml b/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml index f5938b15e..e9a2be07e 100644 --- a/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml +++ b/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml @@ -24,7 +24,8 @@ license = "Elastic License v2" name = "CAP_SYS_ADMIN Assigned to Binary" risk_score = 21 rule_id = "a577e524-c2ee-47bd-9c5b-e917d01d3276" -setup = """ +setup = """## Setup + This rule requires data coming in from Elastic Defend. @@ -48,7 +49,6 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" tags = [ diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index cba0bf98f..2ea48281a 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -21,7 +21,7 @@ license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" risk_score = 21 rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81" -setup = """ +setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: