diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ba80df95a..408ca42a9 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -114,7 +114,8 @@ }, ".alerts-security.*": { "signal.rule.name": "keyword", - "kibana.alert.rule.threat.tactic.id": "keyword" + "kibana.alert.rule.threat.tactic.id": "keyword", + "kibana.alert.rule.rule_id": "keyword" }, "logs-google_workspace*": { "gsuite.admin": "keyword", diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 309acb7d0..640e7c090 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -56,7 +56,14 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -74,42 +81,43 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) -) +) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 7b337ff65..b730a1526 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -62,7 +62,14 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -71,16 +78,20 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "nltest.exe" and process.args : ( "/DCLIST:*", "/DCNAME:*", "/DSGET*", "/LSAQUERYFTI:*", "/PARENTDOMAIN", - "/DOMAIN_TRUSTS", "/BDC_QUERY:*") + "/DOMAIN_TRUSTS", "/BDC_QUERY:*" + ) and +not process.parent.name : "PDQInventoryScanner.exe" and +not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -90,4 +101,3 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 17764a8ba..744c5f3f9 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" [transform] [[transform.osquery]] @@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -40,7 +39,7 @@ Administrators or Remote Desktop users. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" note = """## Triage and analysis @@ -112,75 +111,81 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -iam where event.action == "user-member-enumerated" and - - /* excluding machine account */ - not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and - - /* noisy and usual legit processes excluded */ - not winlog.event_data.CallerProcessName: - ("-", - "?:\\Windows\\System32\\VSSVC.exe", - "?:\\Windows\\System32\\SearchIndexer.exe", - "?:\\Windows\\System32\\CompatTelRunner.exe", - "?:\\Windows\\System32\\oobe\\msoobe.exe", - "?:\\Windows\\System32\\net1.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\Netplwiz.exe", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\SysWOW64\\msiexec.exe", - "?:\\Windows\\System32\\CloudExperienceHostBroker.exe", - "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\System32\\SrTasks.exe", - "?:\\Windows\\System32\\lsass.exe", - "?:\\Windows\\System32\\diskshadow.exe", - "?:\\Windows\\System32\\dfsrs.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\WindowsAzure\\*\\WaAppAgent.exe", - "?:\\Windows\\System32\\vssadmin.exe", - "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", - "?:\\Windows\\System32\\dllhost.exe", - "?:\\Windows\\System32\\mmc.exe", - "?:\\Windows\\System32\\SettingSyncHost.exe", - "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", - "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", - "?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\$WINDOWS.~BT\\Sources\\*.exe", - "?:\\Windows\\System32\\wsmprovhost.exe", - "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe", - "?:\\Windows\\System32\\mstsc.exe", - "?:\\Windows\\System32\\esentutl.exe", - "?:\\Windows\\System32\\RecoveryDrive.exe", - "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and - - /* privileged local groups */ - (group.name:("*admin*","RemoteDesktopUsers") or - winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555")) +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and + ( + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") + ) and + not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or + winlog.event_data.CallerProcessName:("-" or + *\:\\\\Windows\\\\System32\\\\VSSVC.exe or + *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + *\:\\\\Windows\\\\System32\\\\net1.exe or + *\:\\\\Windows\\\\System32\\\\svchost.exe or + *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + *\:\\\\Windows\\\\System32\\\\msiexec.exe or + *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + *\:\\\\Windows\\\\System32\\\\SrTasks.exe or + *\:\\\\Windows\\\\System32\\\\diskshadow.exe or + *\:\\\\Windows\\\\System32\\\\dfsrs.exe or + *\:\\\\Windows\\\\System32\\\\vssadmin.exe or + *\:\\\\Windows\\\\System32\\\\dllhost.exe or + *\:\\\\Windows\\\\System32\\\\mmc.exe or + *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + *\:\\\\Windows\\\\System32\\\\mstsc.exe or + *\:\\\\Windows\\\\System32\\\\esentutl.exe or + *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe + ) + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml new file mode 100644 index 000000000..f6108af2a --- /dev/null +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/09/22" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.command_line entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Signal Alert with Unusual Process Command Line" +risk_score = 21 +rule_id = "29ef5686-9b93-433e-91b5-683911094698" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml new file mode 100644 index 000000000..f42418688 --- /dev/null +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2023/09/22" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.executable entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Signal Alert with Unusual Process Executable" +risk_score = 21 +rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml similarity index 90% rename from rules/windows/discovery_files_dir_systeminfo_via_cmd.toml rename to rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 680fcfcf0..25178ed9f 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,12 +4,15 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/10" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Command Shell. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] @@ -50,7 +53,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -60,9 +71,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -73,26 +84,25 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 640a15c10..06080aad7 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -52,20 +58,23 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "set" ) ) -) and not user.id : "S-1-5-18" +) and not process.parent.args: "C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\*.ps1" +and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" @@ -80,16 +89,17 @@ reference = "https://attack.mitre.org/techniques/T1201/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index fc1b1cb28..69bef326d 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -37,15 +43,14 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 8eb94c19d..75a979960 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -2,55 +2,61 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/13" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and -( - ( - process.name == "reg.exe" and process.args : "query" and - not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") - ) or - ( - process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and - (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and - process.args : ("*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*")) - ) -) and not user.id : "S-1-5-18" +host.os.type:windows and event.category:process and event.type:start and ( + (process.name.caseless:"reg.exe" and process.args:"query") or + (process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and + process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and + (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\:\:*)))) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 9bc90cdf6..6fcf1b7ca 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -2,50 +2,65 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/20" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" -building_block_type = "default" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("ping.exe", "tracert.exe", "pathping.exe") and - not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*") +host.os.type:windows and event.category:process and event.type:start and +process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and +not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1") ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml similarity index 92% rename from rules/windows/discovery_net_view.toml rename to rules_building_block/discovery_net_view.toml index f79ecd709..a4342f266 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -4,10 +4,12 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -49,7 +51,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -70,9 +80,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -83,9 +93,7 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml similarity index 95% rename from rules/windows/discovery_post_exploitation_external_ip_lookup.toml rename to rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index d3d963d15..40219c503 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -4,10 +4,12 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this @@ -62,7 +64,14 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -109,27 +118,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml similarity index 92% rename from rules/windows/discovery_remote_system_discovery_commands_windows.toml rename to rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 90c6d2c99..0b70e684c 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -4,10 +4,12 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -49,7 +51,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -66,9 +76,9 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "group" and process.args : "/domain" and not process.args : "/add"))) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -79,9 +89,7 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml similarity index 88% rename from rules/windows/discovery_security_software_wmic.toml rename to rules_building_block/discovery_security_software_wmic.toml index 8e3377602..12707e0d3 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -4,7 +4,8 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -52,32 +53,39 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and - process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get" +(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and +process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml new file mode 100644 index 000000000..5c46f3400 --- /dev/null +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/10" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id and user.id entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Activity by User" +risk_score = 21 +rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" or + "1d72d014-e2ab-4707-b056-9b96abe7b511" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml similarity index 75% rename from rules/windows/discovery_system_service_discovery.toml rename to rules_building_block/discovery_system_service_discovery.toml index 1e9af9b78..97efd2762 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -4,10 +4,12 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. @@ -20,14 +22,22 @@ name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or + ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and + not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe") @@ -36,6 +46,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -44,4 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml similarity index 67% rename from rules/windows/discovery_system_time_discovery.toml rename to rules_building_block/discovery_system_time_discovery.toml index a340cb45f..6ec486303 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,15 +1,18 @@ [metadata] -creation_date = "2023/01/17" +creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. +Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance +phase after compromising a system. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] @@ -19,21 +22,30 @@ name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or + ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and + process.args : "time") or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g") -) and not user.id : "S-1-5-18" +) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 071b80bc8..16ce86012 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/14" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,19 +49,19 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index d5c4eb011..61bfa2d8c 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -4,16 +4,17 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/26" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" @@ -21,10 +22,15 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -48,6 +54,7 @@ process.parent.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery"