security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Windows Discovery Rule Tuning for UEBA (#3097)

Browse Source 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-10-11 09:43:26 +02:00
committed by GitHub
parent a46797b987
commit 4cdf52129a
20 changed files with 468 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/non-ecs-schema.json
+2 -1
View File
@@ -114,7 +114,8 @@
},
".alerts-security.*": {
"signal.rule.name": "keyword",
"kibana.alert.rule.threat.tactic.id": "keyword"
"kibana.alert.rule.threat.tactic.id": "keyword",
"kibana.alert.rule.rule_id": "keyword"
},
"logs-google_workspace*": {
"gsuite.admin": "keyword",
rules/windows/discovery_admin_recon.toml
+15 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/14"
[rule]
author = ["Elastic"]
@@ -56,7 +56,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 21
rule_id = "871ea072-1b71-4def-b016-6278b505138d"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -74,42 +81,43 @@ process where host.os.type == "windows" and event.type == "start" and
((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and
process.args : ("group", "useraccount"))
)
) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.001"
name = "Local Groups"
reference = "https://attack.mitre.org/techniques/T1069/001/"
[[rule.threat.technique.subtechnique]]
id = "T1069.002"
name = "Domain Groups"
reference = "https://attack.mitre.org/techniques/T1069/002/"
[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1087/001/"
[[rule.threat.technique.subtechnique]]
id = "T1087.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1087/002/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
+15 -5
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/27"
updated_date = "2023/09/14"
[rule]
author = ["Elastic"]
@@ -62,7 +62,14 @@ references = [
risk_score = 21
rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -71,16 +78,20 @@ process where host.os.type == "windows" and event.type == "start" and
process.name : "nltest.exe" and process.args : (
"/DCLIST:*", "/DCNAME:*", "/DSGET*",
"/LSAQUERYFTI:*", "/PARENTDOMAIN",
"/DOMAIN_TRUSTS", "/BDC_QUERY:*")
"/DOMAIN_TRUSTS", "/BDC_QUERY:*"
) and
not process.parent.name : "PDQInventoryScanner.exe" and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1482"
name = "Domain Trust Discovery"
reference = "https://attack.mitre.org/techniques/T1482/"
[[rule.threat.technique]]
id = "T1018"
name = "Remote System Discovery"
@@ -90,4 +101,3 @@ reference = "https://attack.mitre.org/techniques/T1018/"
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_privileged_localgroup_membership.toml
+61 -56
View File
@@ -2,9 +2,9 @@
creation_date = "2020/10/15"
integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/10"
[transform]
[[transform.osquery]]
@@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
@@ -40,7 +39,7 @@ Administrators or Remote Desktop users.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Enumeration of Privileged Local Groups Membership"
note = """## Triage and analysis
@@ -112,75 +111,81 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
iam where event.action == "user-member-enumerated" and
/* excluding machine account */
not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and
/* noisy and usual legit processes excluded */
not winlog.event_data.CallerProcessName:
("-",
"?:\\Windows\\System32\\VSSVC.exe",
"?:\\Windows\\System32\\SearchIndexer.exe",
"?:\\Windows\\System32\\CompatTelRunner.exe",
"?:\\Windows\\System32\\oobe\\msoobe.exe",
"?:\\Windows\\System32\\net1.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\Netplwiz.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\SysWOW64\\msiexec.exe",
"?:\\Windows\\System32\\CloudExperienceHostBroker.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\SrTasks.exe",
"?:\\Windows\\System32\\lsass.exe",
"?:\\Windows\\System32\\diskshadow.exe",
"?:\\Windows\\System32\\dfsrs.exe",
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\WindowsAzure\\*\\WaAppAgent.exe",
"?:\\Windows\\System32\\vssadmin.exe",
"?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
"?:\\Windows\\System32\\dllhost.exe",
"?:\\Windows\\System32\\mmc.exe",
"?:\\Windows\\System32\\SettingSyncHost.exe",
"?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe",
"?:\\Windows\\System32\\SystemSettingsAdminFlows.exe",
"?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe",
"?:\\$WINDOWS.~BT\\Sources\\*.exe",
"?:\\Windows\\System32\\wsmprovhost.exe",
"?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe",
"?:\\Windows\\System32\\mstsc.exe",
"?:\\Windows\\System32\\esentutl.exe",
"?:\\Windows\\System32\\RecoveryDrive.exe",
"?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and
/* privileged local groups */
(group.name:("*admin*","RemoteDesktopUsers") or
winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))
host.os.type:windows and event.category:iam and event.action:user-member-enumerated and
(
group.name:(*Admin* or "RemoteDesktopUsers") or
winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555")
) and
not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or
winlog.event_data.CallerProcessName:("-" or
*\:\\\\Windows\\\\System32\\\\VSSVC.exe or
*\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or
*\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or
*\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or
*\:\\\\Windows\\\\System32\\\\net1.exe or
*\:\\\\Windows\\\\System32\\\\svchost.exe or
*\:\\\\Windows\\\\System32\\\\Netplwiz.exe or
*\:\\\\Windows\\\\System32\\\\msiexec.exe or
*\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or
*\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or
*\:\\\\Windows\\\\System32\\\\SrTasks.exe or
*\:\\\\Windows\\\\System32\\\\diskshadow.exe or
*\:\\\\Windows\\\\System32\\\\dfsrs.exe or
*\:\\\\Windows\\\\System32\\\\vssadmin.exe or
*\:\\\\Windows\\\\System32\\\\dllhost.exe or
*\:\\\\Windows\\\\System32\\\\mmc.exe or
*\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or
*\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or
*\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or
*\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or
*\:\\\\Windows\\\\System32\\\\mstsc.exe or
*\:\\\\Windows\\\\System32\\\\esentutl.exe or
*\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or
*\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or
*\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or
*\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or
*\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or
*\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or
?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or
?\:\\\\Program?Files?\(x86\)\\\\*.exe or
?\:\\\\Program?Files\\\\*.exe or
?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.001"
name = "Local Groups"
reference = "https://attack.mitre.org/techniques/T1069/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2023/09/22"
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
description = """
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
host.id, user.id and process.command_line entries.
"""
from = "now-9m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
risk_score = 21
rule_id = "29ef5686-9b93-433e-91b5-683911094698"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: Higher-Order Rule"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
"d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
"0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
"e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/09/22"
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
[rule]
author = ["Elastic"]
description = """
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
host.id, user.id and process.executable entries.
"""
from = "now-9m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Discovery Signal Alert with Unusual Process Executable"
risk_score = 21
rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: Higher-Order Rule"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/windows/discovery_files_dir_systeminfo_via_cmd.toml → rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml
+18 -8
View File
@@ -4,12 +4,15 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/10/10"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.
Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows
Command Shell.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"]
@@ -50,7 +53,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 21
rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -60,9 +71,9 @@ process where host.os.type == "windows" and event.type == "start" and
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
@@ -73,26 +84,25 @@ id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules_building_block/discovery_generic_account_groups.toml
+18 -8
View File
@@ -4,16 +4,17 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/29"
updated_date = "2023/09/14"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that enumerates account or group information. Adversaries may use
built-in applications to get a listing of local system or domain accounts and groups.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
@@ -21,9 +22,14 @@ name = "Windows Account or Group Discovery"
risk_score = 21
rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
@@ -52,20 +58,23 @@ process where host.os.type == "windows" and event.type == "start" and
process.args : "set"
)
)
) and not user.id : "S-1-5-18"
) and not process.parent.args: "C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\*.ps1"
and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique.subtechnique]]
id = "T1069.001"
name = "Local Groups"
reference = "https://attack.mitre.org/techniques/T1069/001/"
[[rule.threat.technique.subtechnique]]
id = "T1069.002"
name = "Domain Groups"
@@ -80,16 +89,17 @@ reference = "https://attack.mitre.org/techniques/T1201/"
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1087/001/"
[[rule.threat.technique.subtechnique]]
id = "T1087.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1087/002/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_generic_process_discovery.toml
+12 -7
View File
@@ -4,16 +4,17 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/16"
updated_date = "2023/09/14"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may
enumerate processes to identify installed applications and security solutions.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
@@ -21,9 +22,14 @@ name = "Process Discovery Using Built-in Tools"
risk_score = 21
rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
@@ -37,15 +43,14 @@ process where host.os.type == "windows" and event.type == "start" and
) and not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_generic_registry_query.toml
+29 -23
View File
@@ -2,55 +2,61 @@
creation_date = "2023/07/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/13"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the
registry to gain situational awareness about the host, like installed security software, programs and settings.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Query Registry using Built-in Tools"
risk_score = 21
rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
type = "new_terms"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
(
process.name == "reg.exe" and process.args : "query" and
not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
) or
(
process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
(process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and
process.args : ("*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*"))
)
) and not user.id : "S-1-5-18"
host.os.type:windows and event.category:process and event.type:start and (
(process.name.caseless:"reg.exe" and process.args:"query") or
(process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and
process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and
(*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\:\:*))))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1012"
name = "Query Registry"
reference = "https://attack.mitre.org/techniques/T1012/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules_building_block/discovery_internet_capabilities.toml
+28 -13
View File
@@ -2,50 +2,65 @@
creation_date = "2023/07/12"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/12"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/20"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These
results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and
proxy servers.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Discovery of Internet Capabilities via Built-in Tools"
risk_score = 21
rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
type = "new_terms"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : ("ping.exe", "tracert.exe", "pathping.exe") and
not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*")
host.os.type:windows and event.category:process and event.type:start and
process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and
not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"
[[rule.threat.technique.subtechnique]]
id = "T1016.001"
name = "Internet Connection Discovery"
reference = "https://attack.mitre.org/techniques/T1016/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/windows/discovery_net_view.toml → rules_building_block/discovery_net_view.toml
+13 -5
View File
@@ -4,10 +4,12 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool."
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
@@ -49,7 +51,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -70,9 +80,9 @@ process where host.os.type == "windows" and event.type == "start" and
*/
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1018"
name = "Remote System Discovery"
@@ -83,9 +93,7 @@ id = "T1135"
name = "Network Share Discovery"
reference = "https://attack.mitre.org/techniques/T1135/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_post_exploitation_external_ip_lookup.toml → rules_building_block/discovery_post_exploitation_external_ip_lookup.toml
+13 -6
View File
@@ -4,10 +4,12 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test
for Internet access and acquire their external IP address after they have gained access to a system. Among others, this
@@ -62,7 +64,14 @@ references = [
risk_score = 21
rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -109,27 +118,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"
[[rule.threat.technique.subtechnique]]
id = "T1016.001"
name = "Internet Connection Discovery"
reference = "https://attack.mitre.org/techniques/T1016/001/"
[[rule.threat.technique]]
id = "T1614"
name = "System Location Discovery"
reference = "https://attack.mitre.org/techniques/T1614/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_remote_system_discovery_commands_windows.toml → rules_building_block/discovery_remote_system_discovery_commands_windows.toml
+13 -5
View File
@@ -4,10 +4,12 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = "Discovery of remote system information using built-in commands, which may be used to move laterally."
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
@@ -49,7 +51,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 21
rule_id = "0635c542-1b96-4335-9b47-126582d2c19a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
@@ -66,9 +76,9 @@ process where host.os.type == "windows" and event.type == "start" and
process.args : "group" and process.args : "/domain" and not process.args : "/add")))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
@@ -79,9 +89,7 @@ id = "T1018"
name = "Remote System Discovery"
reference = "https://attack.mitre.org/techniques/T1018/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_security_software_wmic.toml → rules_building_block/discovery_security_software_wmic.toml
+16 -8
View File
@@ -4,7 +4,8 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
@@ -52,32 +53,39 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and
process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get"
(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and
process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules_building_block/discovery_signal_unusual_user_host.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/10/10"
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/10"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
host.id and user.id entries.
"""
from = "now-9m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual Discovery Activity by User"
risk_score = 21
rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: Higher-Order Rule"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
"d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
"0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
"e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" or
"1d72d014-e2ab-4707-b056-9b96abe7b511"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/windows/discovery_system_service_discovery.toml → rules_building_block/discovery_system_service_discovery.toml
+15 -4
View File
@@ -4,10 +4,12 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/12"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase
after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.
@@ -20,14 +22,22 @@ name = "System Service Discovery through built-in Windows Utilities"
risk_score = 21
rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and
not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or
((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or
(process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe")
@@ -36,6 +46,7 @@ process where host.os.type == "windows" and event.type == "start" and
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1007"
name = "System Service Discovery"
@@ -44,4 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1007/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/windows/discovery_system_time_discovery.toml → rules_building_block/discovery_system_time_discovery.toml
+18 -6
View File
@@ -1,15 +1,18 @@
[metadata]
creation_date = "2023/01/17"
creation_date = "2023/01/24"
integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.
Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance
phase after compromising a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
@@ -19,21 +22,30 @@ name = "System Time Discovery"
risk_score = 21
rule_id = "06568a02-af29-4f20-929c-f3af281e41aa"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or
((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and
process.args : "time") or
(process.name: "w32tm.exe" and process.args: "/tz") or
(process.name: "tzutil.exe" and process.args: "/g")
) and not user.id : "S-1-5-18"
) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1124"
name = "System Time Discovery"
rules_building_block/discovery_win_network_connections.toml
+13 -7
View File
@@ -4,16 +4,17 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/14"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may
attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
@@ -21,9 +22,14 @@ name = "Windows System Network Connections Discovery"
risk_score = 21
rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
@@ -43,19 +49,19 @@ process where event.type == "start" and
) and not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1049"
name = "System Network Connections Discovery"
reference = "https://attack.mitre.org/techniques/T1049/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
rules_building_block/discovery_windows_system_information_discovery.toml
+12 -5
View File
@@ -4,16 +4,17 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/26"
updated_date = "2023/09/21"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects the execution of commands used to discover information about the system, which attackers may use after
compromising a system to gain situational awareness.
"""
from = "now-119m"
interval = "60m"
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
@@ -21,10 +22,15 @@ name = "Windows System Information Discovery"
risk_score = 21
rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"]
tags = ["Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
query = '''
process where host.os.type == "windows" and event.type == "start" and
@@ -48,6 +54,7 @@ process.parent.executable : (
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"