diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 484fe5c20..9e6ab8905 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10' + default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11' jobs: pr: diff --git a/CLI.md b/CLI.md index b36304e6a..6e84e3f45 100644 --- a/CLI.md +++ b/CLI.md @@ -39,6 +39,7 @@ Using the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE` will bypass Using the environment variable `DR_BYPASS_BBR_LOOKBACK_VALIDATION` will bypass the Detection Rules lookback and interval validation on the building block rules. +Using the environment variable `DR_BYPASS_TAGS_VALIDATION` will bypass the Detection Rules Unit Tests on the `tags` field in toml files. ## Importing rules into the repo @@ -63,7 +64,7 @@ Usage: detection_rules create-rule [OPTIONS] PATH Options: -c, --config FILE Rule or config file --required-only Only prompt for required fields - -t, --rule-type [machine_learning|saved_query|query|threshold] + -t, --rule-type [machine_learning|query|threshold] Type of rule to create -h, --help Show this message and exit. ``` @@ -324,7 +325,7 @@ Precedence goes to the flag over the config file, so if debug is enabled in your ## Using `transform` in rule toml -A transform is any data that will be incorporated into _existing_ rule fields at build time, from within the +A transform is any data that will be incorporated into _existing_ rule fields at build time, from within the `TOMLRuleContents.to_dict` method. _How_ to process each transform should be defined within the `Transform` class as a method specific to the transform type. diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py index bc26007d7..8ec2ce928 100644 --- a/detection_rules/cli_utils.py +++ b/detection_rules/cli_utils.py @@ -140,9 +140,9 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos threat_map = [] while click.confirm('add mitre tactic?'): - tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, required=True) + tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, is_required=True) technique_ids = schema_prompt(f'technique or sub-technique IDs for {tactic}', type='array', - required=False, enum=list(matrix[tactic])) or [] + is_required=False, enum=list(matrix[tactic])) or [] try: threat_map.append(build_threat_map_entry(tactic, *technique_ids)) @@ -158,7 +158,7 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos continue if name == 'threshold': - contents[name] = {n: schema_prompt(f'threshold {n}', required=n in options['required'], **opts.copy()) + contents[name] = {n: schema_prompt(f'threshold {n}', is_required=n in options['required'], **opts.copy()) for n, opts in options['properties'].items()} continue @@ -166,7 +166,7 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos contents[name] = schema_prompt(name, value=kwargs.pop(name)) continue - result = schema_prompt(name, required=name in required_fields, **options.copy()) + result = schema_prompt(name, is_required=name in required_fields, **options.copy()) if result: if name not in required_fields and result == options.get('default', ''): diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 5dfbf37af..ba3f2c63c 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -205,7 +205,6 @@ def bump_versions(major_release: bool, minor_release: bool, patch_release: bool, pkg_data["name"] = f"{minor_bump.major}.{minor_bump.minor}" pkg_data["registry_data"]["conditions"]["kibana.version"] = f"^{pkg_kibana_ver.bump_minor()}" pkg_data["registry_data"]["version"] = str(pkg_ver.bump_minor().bump_prerelease("beta")) - pkg_data["registry_data"]["release"] = maturity if patch_release: latest_patch_release_ver = find_latest_integration_version("security_detection_engine", maturity, pkg_data["name"]) @@ -537,7 +536,7 @@ def kibana_pr(ctx: click.Context, label: Tuple[str, ...], assign: Tuple[str, ... @click.option("--token", required=True, prompt=get_github_token() is None, default=get_github_token(), help="GitHub token to use for the PR", hide_input=True) @click.option("--pkg-directory", "-d", help="Directory to save the package in cloned repository", - default=os.path.join("packages", "security_detection_engine")) + default=Path("packages", "security_detection_engine")) @click.option("--base-branch", "-b", help="Base branch in target repository", default="main") @click.option("--branch-name", "-n", help="New branch for the rules commit") @click.option("--github-repo", "-r", help="Repository to use for the branch", default="elastic/integrations") @@ -556,13 +555,13 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool repo = client.get_repo(github_repo) # Use elastic-package to format and lint - gopath = utils.gopath() + gopath = utils.gopath().strip("'\"") assert gopath is not None, "$GOPATH isn't set" err = 'elastic-package missing, run: go install github.com/elastic/elastic-package@latest and verify go bin path' assert subprocess.check_output(['elastic-package'], stderr=subprocess.DEVNULL), err - local_repo = os.path.abspath(local_repo) + local_repo = Path(local_repo).resolve() stack_version = Package.load_configs()["name"] package_version = Package.load_configs()["registry_data"]["version"] @@ -574,7 +573,7 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool click.echo(f"Run {click.style('python -m detection_rules dev build-release', bold=True)} to populate", err=True) ctx.exit(1) - if not Path(local_repo).exists(): + if not local_repo.exists(): click.secho(f"{github_repo} is not present at {local_repo}.", fg="red", err=True) ctx.exit(1) @@ -593,7 +592,7 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool git("checkout", "-b", branch_name) # Load the changelog in memory, before it's removed. Come back for it after the PR is created - target_directory = Path(local_repo) / pkg_directory + target_directory = local_repo / pkg_directory changelog_path = target_directory / "changelog.yml" changelog_entries: list = yaml.safe_load(changelog_path.read_text(encoding="utf-8")) @@ -624,13 +623,15 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool def elastic_pkg(*args): """Run a command with $GOPATH/bin/elastic-package in the package directory.""" - prev = os.path.abspath(os.getcwd()) + prev = Path.cwd() os.chdir(target_directory) try: - return subprocess.check_call([os.path.join(gopath, "bin", "elastic-package")] + list(args)) + elastic_pkg_cmd = [str(Path(gopath, "bin", "elastic-package"))] + elastic_pkg_cmd.extend(list(args)) + return subprocess.check_call(elastic_pkg_cmd) finally: - os.chdir(prev) + os.chdir(str(prev)) elastic_pkg("format") @@ -1236,14 +1237,19 @@ def build_integration_manifests(overwrite: bool, integration: str): @integrations_group.command('build-schemas') @click.option('--overwrite', '-o', is_flag=True, help="Overwrite the entire integrations-schema.json.gz file") -def build_integration_schemas(overwrite: bool): +@click.option('--integration', '-i', type=str, + help="Adds a single integration schema to the integrations-schema.json.gz file") +def build_integration_schemas(overwrite: bool, integration: str): """Builds consolidated integrations schemas file.""" click.echo("Building integration schemas...") start_time = time.perf_counter() - build_integrations_schemas(overwrite) - end_time = time.perf_counter() - click.echo(f"Time taken to generate schemas: {(end_time - start_time)/60:.2f} minutes") + if integration: + build_integrations_schemas(overwrite=False, integration=integration) + else: + build_integrations_schemas(overwrite=overwrite) + end_time = time.perf_counter() + click.echo(f"Time taken to generate schemas: {(end_time - start_time)/60:.2f} minutes") @integrations_group.command('show-latest-compatible') diff --git a/detection_rules/etc/api_schemas/8.11/8.11.base.json b/detection_rules/etc/api_schemas/8.11/8.11.base.json new file mode 100644 index 000000000..cd6f208af --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.base.json @@ -0,0 +1,453 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.eql.json b/detection_rules/etc/api_schemas/8.11/8.11.eql.json new file mode 100644 index 000000000..a1e618f98 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.eql.json @@ -0,0 +1,475 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.machine_learning.json b/detection_rules/etc/api_schemas/8.11/8.11.machine_learning.json new file mode 100644 index 000000000..ca88b1912 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.machine_learning.json @@ -0,0 +1,465 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "anomaly_threshold": { + "format": "integer", + "type": "number" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.new_terms.json b/detection_rules/etc/api_schemas/8.11/8.11.new_terms.json new file mode 100644 index 000000000..de43ba609 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.new_terms.json @@ -0,0 +1,516 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.query.json b/detection_rules/etc/api_schemas/8.11/8.11.query.json new file mode 100644 index 000000000..20d6284ce --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.query.json @@ -0,0 +1,465 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.threat_match.json b/detection_rules/etc/api_schemas/8.11/8.11.threat_match.json new file mode 100644 index 000000000..dcc339473 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.threat_match.json @@ -0,0 +1,556 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "items_per_search": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.11/8.11.threshold.json b/detection_rules/etc/api_schemas/8.11/8.11.threshold.json new file mode 100644 index 000000000..0c5a10ad7 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.11/8.11.threshold.json @@ -0,0 +1,514 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index cb0fad5a7..83204faf4 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Mon Aug 14 13:11:43 2023" + "saved_date": "Fri Oct 13 12:24:23 2023" } \ No newline at end of file diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 0f45ebeb7..cf73eb2fd 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.10.3.json.gz b/detection_rules/etc/beats_schemas/v8.10.3.json.gz new file mode 100644 index 000000000..5ae373a27 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.10.3.json.gz differ diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index a878ce1ae..7b6d7e5cc 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -1,4 +1,9 @@ { + "041d4d41-9589-43e2-ba13-5680af75ebc2": { + "deprecation_date": "2023/09/25", + "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", + "stack_version": "8.3" + }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "deprecation_date": "2021/04/15", "rule_name": "TCP Port 8000 Activity to the Internet", @@ -89,6 +94,11 @@ "rule_name": "Execution via Regsvcs/Regasm", "stack_version": "7.14.0" }, + "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "deprecation_date": "2023/09/25", + "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", + "stack_version": "8.6" + }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare File Modification", diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 0487c2d84..346b5408c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index 302ffb97a..91eb0d5f5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 30e6a9f0a..79464ba88 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 0a6163994..461be1897 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index ad0fefa6e..317f0d6f5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 0cc0eecb2..74936ae36 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 2db1db747..b228ca7e7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index b36e8545d..e6d7025b0 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 39862b984..c8c882204 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 752519ca7..904bac3de 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz index 77dc0c728..a1e3888a5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz index 80de6568c..57a9eee26 100644 Binary files a/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index 2516b5df2..9716dd609 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index 5d894abdc..a8bd99a8b 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 12dbd7760..2f52a8b5f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index b2662fa9d..424d14a53 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index 66e34040f..de56d71c6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index a6fef6b8b..46b250d12 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index f70e740c0..9790a3a86 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 464894a2e..b752df620 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 2ac587c9f..509e29278 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 1365703cf..029310d69 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 77606d062..c5d867b85 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 6d94053da..e1034f34f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz similarity index 99% rename from detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz rename to detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 2dd7f75df..2fbb60ab2 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz new file mode 100644 index 000000000..9a25e7cc1 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index b8673c332..100380ac6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 4bd967f33..41c2d1c53 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 6351dfef7..7cd5dca99 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 3f60465eb..4ddd95092 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 78f9e41ad..993317b1a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 24c462c84..2025f4b08 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index adf088e21..03fe439c2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 83f31313e..532b8636b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index fcac8d2ad..013414f07 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index c4ec36b77..942429640 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 9658463b6..3e2f01949 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index a3d46f7c9..f5e472947 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index aab8fdc22..29f44446e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 20574a46d..90b77e558 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 006e7a11f..1e99907c7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 59f4d27e9..4f731534d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index a87851d73..7a571cbb8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index cc72774c0..fe5497b61 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 9f37d1679..1476dcef6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index d413c0f58..7152b813d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 061619d2a..b93906ab8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 099ff17d0..b45ea6c5c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 0b08f4f8f..89ef74ad3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 968d91e23..68cf8632e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index fd6726a10..6a2810cf7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index aebfc87d9..ff8aee6e2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index c44ab279a..def85c09e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 8f064df90..34c5c2ff5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 9d3927e7d..925343553 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 9e1a90a63..33fe9e89a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 7761018ca..ed96653d5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index f1f4db85f..5bd5e3393 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 225574773..fef9906f0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index cad7c9f5d..b5a534586 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz new file mode 100644 index 000000000..3c652f315 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 5303e11f2..3166aef51 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index dc8f49bd6..be5dfd685 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index ba80df95a..408ca42a9 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -114,7 +114,8 @@ }, ".alerts-security.*": { "signal.rule.name": "keyword", - "kibana.alert.rule.threat.tactic.id": "keyword" + "kibana.alert.rule.threat.tactic.id": "keyword", + "kibana.alert.rule.rule_id": "keyword" }, "logs-google_workspace*": { "gsuite.admin": "keyword", diff --git a/detection_rules/etc/packages.yml b/detection_rules/etc/packages.yml index 13d839034..c8050f5c0 100644 --- a/detection_rules/etc/packages.yml +++ b/detection_rules/etc/packages.yml @@ -4,24 +4,27 @@ package: maturity: - production log_deprecated: true - name: '8.11' + name: '8.12' registry_data: categories: - security conditions: - kibana.version: ^8.11.0 + kibana.version: ^8.12.0 + elastic: + subscription: basic description: Prebuilt detection rules for Elastic Security - format_version: 1.0.0 + format_version: 3.0.0 icons: - size: 16x16 src: /img/security-logo-color-64px.svg type: image/svg+xml - license: basic + source: + license: Elastic-2.0 name: security_detection_engine owner: github: elastic/protections - release: ga + type: elastic title: Prebuilt Security Detection Rules type: integration - version: 8.11.0-beta.0 + version: 8.12.0-beta.0 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index b9b1674a8..a7247936a 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -81,11 +81,16 @@ endgame: "8.4.0" "8.10.0": - beats: "8.9.0" - ecs: "8.9.0" + beats: "8.10.3" + ecs: "8.10.0" endgame: "8.4.0" "8.11.0": - beats: "8.9.0" - ecs: "8.9.0" + beats: "8.10.3" + ecs: "8.10.0" + endgame: "8.4.0" + +"8.12.0": + beats: "8.10.3" + ecs: "8.10.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index c18651999..7444b4537 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,24 +1,33 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", "type": "query", - "version": 105 + "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d30c57775c5b17bd01a68c5752337e391ce2d7db5cb8aa6eccbc9a54c200c86c", + "sha256": "c12251f0ebf415936a88178bbe670516848a774c5cf3e9bc888a6a8824a0e13a", "type": "eql", - "version": 108 + "version": 109 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", "rule_name": "System Shells via Services", - "sha256": "8f7269ea080f0c8f9d2257a9ed2e32139f4c2c1cd0dbc9ebf61ee83987b10d83", + "sha256": "629ee62bf64e9993225823b0969be69d7b4494d53adc0ffbcdc501745be3ab8f", "type": "eql", - "version": 107 + "version": 108 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "min_stack_version": "8.4", @@ -35,18 +44,27 @@ "version": 102 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Redshift Cluster Creation", - "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348", "type": "query", - "version": 103 + "version": 205 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", - "sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2", + "sha256": "6f969409e34ce2e04899c197404f8717d28ae3866797966be0653c4a3867fdc6", "type": "threshold", - "version": 2 + "version": 4 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", @@ -106,12 +124,19 @@ "type": "eql", "version": 2 }, + "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { + "min_stack_version": "8.3", + "rule_name": "Potential Network Scan Executed From Host", + "sha256": "247079101b736a6f3dfb963c2106e2d5dfaf9523a631e74b57ca03fa12e6c429", + "type": "threshold", + "version": 1 + }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", - "sha256": "4cb2b6b77c91784f961b4347413643db618e2f27805ae42c5d6087ba7e5a9794", + "sha256": "77e56ceb38921c2a4b69d7e793e5cebe8412e613b9f767bf3e7d272f297aa00d", "type": "query", - "version": 105 + "version": 106 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", @@ -130,9 +155,9 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "242d70865b8ccc44b23dc4c85ec781e9f6de7966acae6376216fe6157df81b72", + "sha256": "900e474f07b795dfe109f252a2d4a9069cdb9a8471cde0a8e19a36b84f3797ba", "type": "eql", - "version": 106 + "version": 107 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", @@ -144,30 +169,44 @@ "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "7f1bba1cf96766fe9d2d0d21e7e7d03114483ebf1d91a52bdc7a370c5751699b", + "sha256": "6df780c2019fb6ff0102a70515a5233d958c58be4522ce64b31da80680965b27", "type": "eql", - "version": 106 + "version": 107 + }, + "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { + "min_stack_version": "8.3", + "rule_name": "Tainted Kernel Module Load", + "sha256": "a546a22d29ab39e34b84e1d2bb96312c59c8c0072948b715eea31b3cae42f3fb", + "type": "query", + "version": 1 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "f31c9a7ea34568a5374ff1710793245daeb9aeb25b3a9a24e97f06a5888a0ca2", + "sha256": "e707dd532d4c099c31f5b95bdc9d237af995a146109cd6caf07576bac95509f4", "type": "query", - "version": 105 + "version": 106 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "21369e608f88a1ea5dcd90d5365bba2e9a909fabf973ed66e37e9136f5f0699a", + "sha256": "43d5cfda7bb1c28139045da08dfbda821d56fd45af89f05a4cf932a0b7eee839", "type": "eql", - "version": 108 + "version": 109 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", "rule_name": "System Time Discovery", - "sha256": "8534280f701e221bc1312804c5bf3de446a2ef36dd62d6e9bc6e3bb765c9cf76", + "sha256": "79c7e1897310a5fff8e9aa62c967679ae8fb0f6681b13c0fd66289142de0e1d6", "type": "eql", - "version": 4 + "version": 5 + }, + "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Size", + "sha256": "ad214cde675085b61786dcd969409c869ca6ea48663d0b5227356ec6b1bd906e", + "type": "machine_learning", + "version": 1 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", @@ -200,16 +239,16 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "5839a3666d7e0133ba8b7e42ac89b59b39e750d0b97a3b3583b69c13de90129a", + "sha256": "8822c17823d2a397a734dabe9b76dc5786f7ea603e234dc22bac765c440f88ad", "type": "threshold", - "version": 3 + "version": 4 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "a31f827db85593474e5766adaf71c535a3a5d7ce628347b6b7e606bdb261bd04", + "sha256": "89428d0f0fc36a5b1ff0704bcfaf222c5592e066c0a1179e4d851b02b8384d67", "type": "eql", - "version": 5 + "version": 6 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.4", @@ -258,9 +297,9 @@ "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", - "sha256": "9c4c3dc22f5ae081c7fce7c1cb6523dabdd5affb3e5b4ffce5fe00ec5dd65815", + "sha256": "bb76e59c53a0b50ac513121a9591fecea2eac83851584542c8860bb511c0785f", "type": "eql", - "version": 2 + "version": 3 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -278,9 +317,9 @@ "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", - "sha256": "b47a3759b8145c73009358643478d070d44505235b1c16c6282bf2925986ffaa", + "sha256": "3eef996ce0b596a8c36e90f7b072702cf85d200f1a9683ab6d81d18bf69ed5d1", "type": "eql", - "version": 106 + "version": 107 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -291,9 +330,9 @@ "09bc6c90-7501-494d-b015-5d988dc3f233": { "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "094055b11724accc14288884bea8d069e3e5c1c1d32159a9b78fc9d7808cdc3a", + "sha256": "86eaafcb32b1483e8453f37ecd655c5e8c33aceb5c823ab84d86ff4a4759ca09", "type": "eql", - "version": 1 + "version": 2 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", @@ -312,9 +351,9 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "6292561dbd089951c5f89ea4611e1d54d55397b493aa93f8cdba5c3e5f7e09fa", + "sha256": "010e64048d380d35b40f806816a62483d54ed2f3cdafafd01f6d92feb6df8f79", "type": "query", - "version": 1 + "version": 3 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -333,9 +372,9 @@ "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "cd1a313ebc7c4d9e532bb43100c4d5c06d27676750ffde616f9aec4fcb71d086", + "sha256": "c545678521c2df966a1a7b9a11ac1e9e2bb8d0acad65746d1bb12f47607f2149", "type": "eql", - "version": 2 + "version": 3 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "min_stack_version": "8.3", @@ -391,16 +430,16 @@ "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", "rule_name": "Nping Process Activity", - "sha256": "b526d1555e13cf130c9d0129928555065e1f976d20616cd8863f9e2f7c8720e6", + "sha256": "a268355fc0423778888b7e0b1d9b8e7e5dd149344e2b5baa79b585c6189698e4", "type": "eql", - "version": 105 + "version": 106 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "b2d0f5656de26bb1163ed5edbb9bf90bde8a599b310b94c0eb3e629ddc0b93a3", + "sha256": "a66ec71c96a9c0d09c09ad1d94067327b19e7db5411461bda17ce482fff03de5", "type": "eql", - "version": 106 + "version": 107 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", @@ -435,9 +474,16 @@ } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "cd15e73bb94658d23cc9c074c1ace32b319514089fac6deb29e145d0179bb131", + "sha256": "514ea9a49add087a7f2f10f48d370ebfea15dc09db5bb9d5a908453ced80567e", "type": "new_terms", - "version": 106 + "version": 107 + }, + "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "min_stack_version": "8.3", + "rule_name": "Netcat Listener Established via rlwrap", + "sha256": "ff53f0363d8f483a8cedf49e6a907968b544472e09fd83e82d1eb9b2f3b16af0", + "type": "eql", + "version": 1 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -484,30 +530,39 @@ "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", - "sha256": "7ae8452448297fae3af27315e9a0cd50e7419f0dec791237656f8859df113c3f", + "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", - "version": 104 + "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", - "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "6ed2244e093a1870d45df1482662e4f762ce4734090878e0a1d1a06e9675b775", + "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "sha256": "73bcd7b6468b86456d40fae00cecf6d091d5f5b42458d68c4ba96cb0f0304967", "type": "eql", - "version": 105 + "version": 107 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "faeaccab4b1a4766cc93a7b427cb7250df74ac218438d547281678e44d7a3cd9", + "sha256": "b0824ce814b7fa05a5a6e8d9f8f54849dd033892fd3ad5d850a4a5e2df77645b", "type": "eql", - "version": 107 + "version": 108 }, "119c8877-8613-416d-a98a-96b6664ee73a": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Export", - "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17", "type": "query", - "version": 103 + "version": 205 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -518,23 +573,32 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "f455fef003011587f2e1a56fce94b03276f7155952af5cd091a8eadf88a62e68", + "sha256": "d41a56fd39249f9a8ecaea4b7739a996efe8bbd66aa4165345951de99ac2d102", "type": "query", - "version": 7 + "version": 8 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "8614adabfa74ea56500abff063edfd0fab24a93e560df2fdfd68d3a60b78fa10", + "sha256": "f48869c0c1a7667d8c8a24d78167a2e33fa2e5db8b4d71bbab951f29a6571875", "type": "eql", - "version": 107 + "version": 108 }, "12051077-0124-4394-9522-8f4f4db1d674": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975", "type": "query", - "version": 103 + "version": 205 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -542,6 +606,13 @@ "type": "query", "version": 100 }, + "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a User", + "sha256": "dce0a6166ccdba29ec3a03d3fbd91c615057e7615daa7020e5a488304719aa3d", + "type": "machine_learning", + "version": 1 + }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", @@ -606,9 +677,9 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "fcf12be61708b748f14f6ae118e930f2c5ebf65992bc3df225f66c5dad6ed0b6", + "sha256": "91ce748803215def5fc3e0a13c3061c7a533494b7bfd86f66b778586a56f4ee9", "type": "eql", - "version": 106 + "version": 107 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", @@ -630,6 +701,13 @@ "type": "query", "version": 100 }, + "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", + "sha256": "2841e9117fd834df97cee4f6d7220cf2c5296a604b9e73f4477e8206eb7f78b3", + "type": "eql", + "version": 1 + }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", @@ -640,16 +718,16 @@ "143cb236-0956-4f42-a706-814bcaa0cf5a": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "54422260766b12b7477aec8acb27085b1eae0a36285553d26e5730bce422e7a9", + "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", - "version": 102 + "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", - "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3", + "sha256": "dfc7bc44c6f6d34fee6331a065d25992ba9f2cb18ddddf1d91a9c581eb4f15b8", "type": "eql", - "version": 1 + "version": 2 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", @@ -670,16 +748,23 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "afca97139ffb2af012ea212958cd4118f14e183943e7c030e5ac45d06a430450", + "sha256": "02cd614602c0740f432c413ad474d41900748740202d7ffd5f6103b3096ff544", "type": "eql", - "version": 104 + "version": 105 + }, + "1542fa53-955e-4330-8e4d-b2d812adeb5f": { + "min_stack_version": "8.3", + "rule_name": "Execution from a Removable Media with Network Connection", + "sha256": "395e463813d0cad1e718f84d5a13a564016c82b69dcfd8027af981c0ec07cc2f", + "type": "eql", + "version": 1 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "17c01410a2573124cf140a518366b8a585209a201bfee33b5f7d855fa9b07e2c", + "sha256": "2f29328dabd08f923a8df391ea35c8ea653ed3968d056d71b05ae11f402b17c9", "type": "query", - "version": 107 + "version": 108 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", @@ -717,18 +802,27 @@ "version": 104 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Creation", + "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Creation", - "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3", "type": "query", - "version": 103 + "version": 205 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "436bc1aff82273c9504f7df46a2ce3c1653d4dd9864c1580f5ecb99a74c6e3cf", + "sha256": "6f7e78b34dbd113748d1850790a473327c1ae2f910eaed28ea59e14871d611f2", "type": "eql", - "version": 107 + "version": 108 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -775,9 +869,9 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "bd8754496ad2a53571780aab55b02d8dbe4aa20329da96a586b6f81cb7fecdf8", + "sha256": "4ee6af63081a009901c6f3b4f3f314e8c3dbe15dd4d5751b7c5536708cc01fed", "type": "new_terms", - "version": 4 + "version": 5 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", @@ -806,19 +900,42 @@ "type": "eql", "version": 100 }, + "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Connections Made to a Destination IP", + "sha256": "92faf5914bec5a5a185f949112f5ff576d15fd69a5f405d73697602768830d77", + "type": "machine_learning", + "version": 1 + }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "1169776f997d618e40607bc71cdd85c338f7c14f158c845f3ab3ab48922d23f4", + "sha256": "f58eb1cacf84d92e06f41776bcc67711b803714568ae64ad82e907c980a3c4d5", "type": "eql", - "version": 1 + "version": 2 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Rare AWS Error Code", + "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Rare AWS Error Code", - "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", - "version": 106 + "version": 208 + }, + "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Processes in an RDP Session", + "sha256": "c3869d7536ca507bf986047bad80507a729751302776f5a258810c9a9814c2de", + "type": "machine_learning", + "version": 1 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", @@ -842,11 +959,20 @@ "version": 106 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc", "type": "query", - "version": 106 + "version": 208 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", @@ -858,23 +984,39 @@ "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", - "sha256": "68f0d73167458fd1589c365cfb07d8bdf9d49e3368435dd8ad08d5eda2d180a4", + "sha256": "aae5d1cb44fafff6fe643a706d5eef8d83794dfae46ea638507259cb2c9bb041", "type": "eql", - "version": 104 + "version": 105 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0", "type": "query", - "version": 103 + "version": 205 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd", + "sha256": "0b4cbcadf42c525059f293cf8894de62f587e228878dfc70d1d6aafdfebaa221", "type": "eql", - "version": 7 + "version": 8 + }, + "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { + "min_stack_version": "8.3", + "rule_name": "Potential Process Injection from Malicious Document", + "sha256": "585cc415f1c54e220db615a5f052321909100ebc7b9e63b944e6b19a6a4e6404", + "type": "eql", + "version": 1 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", @@ -886,9 +1028,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "3113571e7885f573582d119f9e0905d33369509446e7a2729497380f27d3d077", + "sha256": "d5fac2c07f8912a7aeb5987420d21df972ba3bcfda92b5c66438a6f37625e973", "type": "eql", - "version": 108 + "version": 109 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -897,6 +1039,13 @@ "type": "query", "version": 102 }, + "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.3", + "rule_name": "New GitHub App Installed", + "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "type": "eql", + "version": 1 + }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", @@ -907,16 +1056,16 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", - "sha256": "6e10cd53c6b8fef5635f3e97892648c45c1ef8219958c3ad9af076a08f6788b7", + "sha256": "9b721a8bd708e3ba1c854f032771bd1fa175535e5dc546a07be290e5c156c6d3", "type": "eql", - "version": 107 + "version": 108 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "b1a5f097c5ad6885bbd55d4375fd72cfc09507c502321b80aec6edfe33bc3a75", + "sha256": "d08e975b8630d786933967d9de847dfbdd6fc6a5447715691a1a27ee3b22198a", "type": "eql", - "version": 106 + "version": 107 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.3", @@ -928,9 +1077,9 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "cbdda8fa4a7ee1ebd5708a3bcc4aaf50947d560339f8f8c45effe6f0e8309a64", + "sha256": "09504eee0ca293aed720134b083bcf30791788c02f630b563bfb73e34fe17918", "type": "eql", - "version": 104 + "version": 105 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", @@ -946,12 +1095,19 @@ "type": "eql", "version": 106 }, + "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "min_stack_version": "8.3", + "rule_name": "Potential Linux Hack Tool Launched", + "sha256": "1d7ffe0b0cb484baa86ed92a884c1b7c1ed28b7a8d3591393beaf14d5ffe7fc4", + "type": "eql", + "version": 1 + }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "3dccbfd612147d0714339a1a2d6ad16efe695f6d5d9ea764a595cec716beff1b", + "sha256": "e1abdaaaa56dcd60699f61e183b6ee3d637065363a4aef48e49785d0f3d52a12", "type": "query", - "version": 2 + "version": 3 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -998,9 +1154,9 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "f14eab4a7143c53fcd49fb00bb945fe9f86c0db1e63ad3b4fd1ceced47e484f1", + "sha256": "6005266947232b8c8285b53252c0a3aceb08713658436d0aa268fd92aaa462f0", "type": "eql", - "version": 107 + "version": 108 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1012,9 +1168,9 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "838a9d840a2c93100aa9faf4b4291f9c968db9e541f1cf59807bd041b0d88a94", + "sha256": "94fec9b0c4fecdb1ba512be811459a1cae6d7efcac880fc5d63a308a8f87be8b", "type": "eql", - "version": 106 + "version": 107 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", @@ -1024,11 +1180,20 @@ "version": 106 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3", "type": "query", - "version": 103 + "version": 205 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", @@ -1079,11 +1244,20 @@ "version": 5 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", + "type": "query", + "version": 104 + } + }, "rule_name": "SSH Authorized Keys File Modification", - "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", - "type": "query", - "version": 104 + "sha256": "005f7835fa070f7f885e2383bf737e042e166aa86438d213922d52e82ff0cd91", + "type": "new_terms", + "version": 204 }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", @@ -1093,11 +1267,20 @@ "version": 107 }, "227dc608-e558-43d9-b521-150772250bae": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe", "type": "query", - "version": 104 + "version": 206 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "min_stack_version": "8.3", @@ -1115,24 +1298,45 @@ }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", - "rule_name": "Kernel module load via insmod", - "sha256": "716b6003b6a1bbcec145bd5ccdfc5283a40c843dc12fc82ff75fd26cc67b5b7c", + "rule_name": "Kernel Module Load via insmod", + "sha256": "4c816b9ebae8561e4197ef52689ef05de8036037dc74de66afdae2a9aa6a2845", "type": "eql", - "version": 105 + "version": 106 + }, + "2377946d-0f01-4957-8812-6878985f515d": { + "min_stack_version": "8.9", + "rule_name": "Remote File Creation on a Sensitive Directory", + "sha256": "d175835a59f26f5a7a7607eec8ec9be98bff92a092fcb817859b99170ad0ddd6", + "type": "eql", + "version": 1 + }, + "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.3", + "rule_name": "New GitHub Owner Added", + "sha256": "360c844a728a8074f32947d9ad6d1b26d414b7aafe87847d5b92dc546b8931f5", + "type": "eql", + "version": 1 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9567e972186b39d9f4d1a378dfb482b40eae9cc129ee8c83562223fb8f1a9a3a", + "sha256": "7eb4bab3a9d22066a5b70d36c5d06224bd14bf207e4152a20a04bd323f5fc06a", "type": "eql", - "version": 104 + "version": 105 + }, + "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Background Process", + "sha256": "98913787308b752f32b96a1d2e394c59c7a0c880b2caa632f30c81842f2cb0c9", + "type": "eql", + "version": 2 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "8bd9e051e381430287850aac140060e1c4eb55636e83ae0d010d241069f208cb", + "sha256": "15d66149f0f83ab636bbca6591b3cda98a98989d4e8cbca69c06725499d7fd2e", "type": "eql", - "version": 2 + "version": 3 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", @@ -1144,9 +1348,9 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "158c5a76f4a4ff8441aa5189db7ca3f8677a210f01a9023decd1732862ef8f46", + "sha256": "0f3875681feabc9889f6f06cf0687e0b3f367b347f46f58fe88448b97c69821c", "type": "eql", - "version": 107 + "version": 108 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", @@ -1172,9 +1376,9 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "2173b0cc2bec6028b91c5b9a051908ca9d6ea87cae8c881a23622b6239e85eee", + "sha256": "2a8ff80cbf124d75571a8831f389c7e67129f89c0f2d1b512133a48bbf0d3478", "type": "query", - "version": 2 + "version": 3 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", @@ -1186,9 +1390,9 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "ed68bcf2e292ec89f9e8f578e9e4847812fd4177fa242725286c16db53ff03e0", + "sha256": "06a344a111e75594161e3a08c78be77d29fd146dec8b6ce48d5cc9330a9166f1", "type": "eql", - "version": 106 + "version": 107 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1207,16 +1411,16 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", - "sha256": "4e81da588d72ce375e5c9d046ebc2d09776070111a26ad970d2a12b048741c4d", + "sha256": "f21f7b41b32d1c07a79ab7a9be75729b18a0dff1cf744238f305d04f3a862ea6", "type": "eql", - "version": 106 + "version": 107 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "8ba669048ae42b7afd8f153bbae5a1b181f3d070db1241c38c847c1fe4dae0e1", + "sha256": "900b6c0dcc73edd29b7f8b445d08d37da743dcd1e18c5a8cc4a545be1c9e4c72", "type": "eql", - "version": 106 + "version": 107 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1228,9 +1432,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "6d8b1a876a2e1ce2967be858e2e4cfecd82d84c47b08d8e33c72e22725073eb2", + "sha256": "29566bc20e44999833de4b93b85e993bbca41d4c16ca41f5fe01ea80ad52937a", "type": "eql", - "version": 5 + "version": 6 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1241,37 +1445,62 @@ "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", - "sha256": "ea5c6d696a82dd4d7d63fb04dd726e8b1fb33ac4622151663d19d31ef7a99a67", + "sha256": "765e6c39bbdfecbbfd3ffa1a44b4838d06c295b53d4b73143316ec99c8b3550b", "type": "eql", - "version": 2 + "version": 3 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da", "type": "query", - "version": 103 + "version": 205 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "47309853f13ad591cfcbb60814b5c1a7c731abfc3f5349fbb5e9acb25b347134", + "sha256": "a6231a8bcd050f72676f997117e09ea1f8873a178971237eb2b54404906f0c95", "type": "eql", - "version": 107 + "version": 108 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "e1d3e0942816bd8564b7abde73127790f145ce3332346d041fbc1e0421600524", + "sha256": "13c2fcb9dbaf1339d3e3b7e5fa159bc1a2875aee235776f1bb13518d49a8d738", "type": "eql", - "version": 106 + "version": 107 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", + "type": "eql", + "version": 108 + } + }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", - "type": "eql", - "version": 108 + "sha256": "6f6f6175fa206cf7e0c3a47488388561ee39b49bc0b1f18f6baede4fe3ded355", + "type": "new_terms", + "version": 208 + }, + "29ef5686-9b93-433e-91b5-683911094698": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", + "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "type": "new_terms", + "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.3", @@ -1283,9 +1512,9 @@ "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "2f246e33c5b5318512de95d017377941e955a43a607619340a1ee900353ca612", + "sha256": "8dd9f5b2abfa297105040ebfc4e441af646a5bec20f8ee97a6856351c8e1f99b", "type": "eql", - "version": 3 + "version": 4 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1306,16 +1535,16 @@ "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", - "sha256": "8193724c74f8c3bda981c1ea69c1775177c530e3a5d30e2387577bd4abaa66f2", + "sha256": "01993ae1314c912204f7b87a0999c27cd2861f56a7a0b766dd0bbe4119dc0c9f", "type": "eql", - "version": 3 + "version": 4 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "9aeae912e062be1da7e7f26a9a5cb726d945ce4bba3c5b040a131c5636920a59", + "sha256": "6c4da0a89fa984f5f93fd0fa33b26bc6bee17987271ce73792eb19e342bd9289", "type": "eql", - "version": 107 + "version": 108 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", @@ -1343,9 +1572,9 @@ } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "e66fa90d3d617373ae52b10b1487f5d53b35fea7e11bf4371ccaf37fe0782482", + "sha256": "2fa255256633606f39637f99e60437fd03db8f4721370c5cefa5c65857661e01", "type": "new_terms", - "version": 205 + "version": 206 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1359,9 +1588,16 @@ } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37", + "sha256": "2c9cb831e23495341a51736efbfd144c71ae76cd1e9219fdc2078d70cdbc0407", "type": "eql", - "version": 208 + "version": 209 + }, + "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "min_stack_version": "8.3", + "rule_name": "Potential SSH-IT SSH Worm Downloaded", + "sha256": "2235a3c31df521f4cbbff7cf12df793eb343d389777cc8851c382a1434bef647", + "type": "eql", + "version": 1 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", @@ -1387,9 +1623,9 @@ "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", - "sha256": "58530124be115763c6110e3c32f34e5fc8c70fa063e74e97252e3dcccc45a1f0", + "sha256": "3921a45db23fa07aa23f52a05c6cc6645307b5795c62c52f1ab0e7119b93182b", "type": "query", - "version": 107 + "version": 108 }, "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.3", @@ -1401,9 +1637,9 @@ "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "09e550845fb86206a91ec5d634e2a5427e344a491c0c76e59a66b6f4a4d4f99e", + "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", - "version": 102 + "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", @@ -1422,30 +1658,37 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "ec46e116c1fd77711b1cc1c49189cb9495b50a6d18e577cd1d5214de5233c641", + "sha256": "65b15ece2e91066379c4bf4c8646bde0a3f995c713d228332c5ef3af665e3c0d", "type": "query", - "version": 107 + "version": 108 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "2a77643c47329e2c910e5c86d8c3b2f0cf2b93527ad5bc129d7e614c07ba6369", + "sha256": "bdea522d5730e3c4d4239717173a709ebc5ff118296edbcb70faeb3e62cdcc0d", "type": "eql", - "version": 106 + "version": 107 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "2164ee6d1c3cd39e214f6c965e6cbd0a1dd158e51dd0d883fe83d6915d5f4621", + "sha256": "c77de421e7a60ec97356465d4a834fc49fed6b0b7ae28debbac3786b07459d62", "type": "eql", - "version": 107 + "version": 108 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "414eb4b19b8f79b0c86119bc090d5a342e45837af770df8d3365d3ab81bf5036", + "sha256": "1e95c5544b74d84ae96e15fafa7f0ffb9e564fa1552c02adbdf2d0bb9e68e7a3", "type": "eql", - "version": 106 + "version": 107 + }, + "301571f3-b316-4969-8dd0-7917410030d3": { + "min_stack_version": "8.9", + "rule_name": "Malicious Remote File Creation", + "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", + "type": "eql", + "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", @@ -1457,9 +1700,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "9375d07c27d373fae95ace527be0d4a8117abd263b43adfb31536459bda562a9", + "sha256": "7f96205f8ffdfb7be7c57a34dbdf149f99a13961e1477d17815ad48f85b7bdc0", "type": "eql", - "version": 3 + "version": 4 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -1471,16 +1714,16 @@ "31295df3-277b-4c56-a1fb-84e31b4222a9": { "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "394278b77c3a54380ee197c9763706f2e530452d5b564a4c0d6b14137d57f87e", + "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", - "version": 102 + "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "c52ce2472b85ca6486fe8ffef36ba98c35db8cd02a58a3e00cbdfbe6448fa7e7", + "sha256": "2ca2ed5d2836beb7bbbfd48b039b171774baba1b8995a88ab16943fbbb170fa9", "type": "eql", - "version": 107 + "version": 108 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1499,9 +1742,9 @@ "32923416-763a-4531-bb35-f33b9232ecdb": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "f989ae55a6fdc1e9c9a11c92fd231aa626b1bb662b0a119d8f5cae8d3c0f3577", + "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", - "version": 102 + "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", @@ -1513,23 +1756,32 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "bfcb1a92ded4fab88e6d4e463b78405b82e80e00b2b0e1260ba1ff8164ac01dd", + "sha256": "dfea65085c4b690895eb691760b4a9025da59cecbf5c4ff242c26713ede0bb2c", "type": "eql", - "version": 106 + "version": 107 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM User Addition to Group", - "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81", "type": "query", - "version": 106 + "version": 208 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", - "sha256": "9d95402d5a02b1571ef1d3e5ad966c19fd3cbeff7b5fa58198ac9151e1923ba0", + "sha256": "f71d1a0fc2a3a9498c1c07bb8d19631c82ed04d6216b650b39cf5c767ccd0ea4", "type": "eql", - "version": 3 + "version": 4 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", @@ -1555,9 +1807,9 @@ "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "6fde829b7083578ace3bcf3cb7d8c73a7cc94241c0a398fbc0d6b2ccf1f46505", + "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", - "version": 103 + "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", @@ -1569,9 +1821,16 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "83831c2c3a4be02d59440da6f570b9d7e7064ecf5fa6df5565f36e68b68cd2ce", + "sha256": "2ec830c30a80eba9d2bfb5dc78d0ce64e7eb8f66ea2f8266e666d077fa916852", "type": "eql", - "version": 106 + "version": 107 + }, + "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "min_stack_version": "8.9", + "rule_name": "Spike in Bytes Sent to an External Device", + "sha256": "a8debadb004c9ca04fb7f3321cd45dc0ad8f93d6437be72cbbc5d09b84382fd1", + "type": "machine_learning", + "version": 1 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", @@ -1596,30 +1855,46 @@ "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", - "sha256": "b4e738c5be1bba9711b183dd54a22a8c10aec54e4a5310352cc7ac4ad24b9af1", + "sha256": "cafe78e9310f27ba8cdcfb8fbc318a1a2f55223679ea3d91c3a0877dd578b7d3", "type": "eql", - "version": 106 + "version": 107 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "2684dc4258fdff2568772c371afcba2729e543adeac05d5e8fbad36f45417fec", + "sha256": "dabff5221c0b2f406165374af490dcdb04a568295196b805962ea4b2e88e734e", "type": "eql", - "version": 104 + "version": 105 + }, + "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "8.9", + "rule_name": "High Mean of Process Arguments in an RDP Session", + "sha256": "43e809e5064a205d0a1e107068d372415cecef22a677dc5acb3bd91b754772b5", + "type": "machine_learning", + "version": 1 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", - "sha256": "46076a578186ec461ee06fdb94def49ec0f94300cea3bd8364ebfc75895b65ae", + "sha256": "0f9b9c003bc39253a948a9da6d7c5b5263d9d1dc3c73abf730550e6c0c3ff687", "type": "eql", - "version": 2 + "version": 3 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Creation", - "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b", "type": "query", - "version": 103 + "version": 205 }, "37994bca-0611-4500-ab67-5588afe73b77": { "min_stack_version": "8.3", @@ -1635,11 +1910,20 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Execution via System Manager", + "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Execution via System Manager", - "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0", "type": "query", - "version": 106 + "version": 208 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", @@ -1649,11 +1933,20 @@ "version": 104 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", + "sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b", "type": "query", - "version": 105 + "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", @@ -1684,11 +1977,20 @@ "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614", "type": "query", - "version": 103 + "version": 205 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "min_stack_version": "8.3", @@ -1707,9 +2009,9 @@ "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fd0213ea9905c71a65f94da36a92164a378cd8232856a0ac441ae9f7d49fb108", + "sha256": "fb96d295d12b3d405dc93ad509f792885c4e32bb760c7518b005755a6ad6acb4", "type": "threshold", - "version": 106 + "version": 107 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", @@ -1727,9 +2029,9 @@ "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "f452215a79041dee079474e59d224d2fb4c3c03ed44830b5e5d36e4d1ab89007", + "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", - "version": 103 + "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "min_stack_version": "8.3", @@ -1755,9 +2057,9 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "cd3c9afd05e54eb93da83e2d90065582aaad08ee77a94fae48f952f89c46e626", + "sha256": "691edf20cc218616ece6013dbbfe102d01c87c91cfd3bd49ea126eb3830c5982", "type": "eql", - "version": 106 + "version": 107 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -1769,16 +2071,32 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "26c1661135e8af69b7d550fd193137f635de465260e8fd9c383708024444180c", + "sha256": "ad925532e35677e84cb73970b142002377617338f4574eb6ca4dbd7bfcdb37a7", "type": "query", - "version": 1 + "version": 2 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Updated", - "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063", "type": "query", - "version": 106 + "version": 208 + }, + "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Connections Made from a Source IP", + "sha256": "d02ca6fa6392da7a7d8757ae5757e04feb7e340f9b58af698935f60f077e5b80", + "type": "machine_learning", + "version": 1 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", @@ -1794,6 +2112,13 @@ "type": "eql", "version": 104 }, + "3e441bdb-596c-44fd-8628-2cfdf4516ada": { + "min_stack_version": "8.3", + "rule_name": "Potential Remote File Execution via MSIEXEC", + "sha256": "1d20b245f40477327dbf43e563d8a93eca7531b9c1fa4649a0e9692d0eb33b01", + "type": "eql", + "version": 1 + }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", @@ -1834,16 +2159,16 @@ "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "337011e93c02efa090b9a19745d82c3d58fd18bee555ff69edaff5e9ff1466b7", + "sha256": "2bc6f32144a2b110dfc14493dc5930b3aa2c23ca7d00b46924c2643ac2d73c45", "type": "eql", - "version": 1 + "version": 2 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "b3aad2bca92e5e1acd788cfd14d9606aa4b803a48bf303ad37e210739fec9d24", + "sha256": "511ca509d7faf58b68373d12932edd1aef607c53de1314647b3764b976fb35fe", "type": "eql", - "version": 106 + "version": 107 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "min_stack_version": "8.3", @@ -1852,26 +2177,56 @@ "type": "eql", "version": 2 }, + "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "8.9", + "rule_name": "Unusual Time or Day for an RDP Session", + "sha256": "649d4962dc3c27de65026dd648d4e7b0e8285a58920fe69e4994449af66eac61", + "type": "machine_learning", + "version": 1 + }, + "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a User", + "sha256": "76ae6142111e83c98205115ae9df5b7be5f1c79187429dbf5dba2f51c0cdb4d6", + "type": "machine_learning", + "version": 1 + }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", - "sha256": "5bb822cc67b9581124c21c5f4abb213946ce935b1c3f3ca248d1c2fcd9ce54e6", + "sha256": "0f9c30762b9d866395af98426eb9a784abbf168110167161bb7302fc4402a8dc", "type": "eql", - "version": 104 + "version": 105 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Modprobe File Event", + "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", + "type": "eql", + "version": 3 + } + }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", + "sha256": "c6ccd9c0ba411da8142f15ca71dd04dca27e1ec82b527324439621b449f4812d", + "type": "new_terms", + "version": 103 + }, + "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "min_stack_version": "8.3", + "rule_name": "Unix Socket Connection", + "sha256": "38561d8ce173227b49b1459ae11d38bfba76385fa68298e1ddb7b8603d57a8b6", "type": "eql", - "version": 3 + "version": 1 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "adeea0cfa04ee8759f832217f19f0ce3d6952e72c717c271909ab099034c8659", + "sha256": "1de1e9aa9030d56c6c6629cd92e3ba65d61bfc9063b76ea2abe412899a224d3f", "type": "eql", - "version": 106 + "version": 107 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", @@ -1895,11 +2250,20 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e", + "sha256": "60954a70897438ce1627fe0aab388688a6c189b04e7eca5543e0c450283c029b", "type": "threshold", - "version": 105 + "version": 207 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", @@ -1925,9 +2289,9 @@ "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", - "sha256": "a48dc7ec63791f8c62b58bfbca37d6765b39621454d2720ac839e13758d02adb", + "sha256": "3730f04f7a829d9ca0f149c00ebd1c6cd07226bad5915f6295d82656e40bf5f8", "type": "eql", - "version": 3 + "version": 4 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", @@ -1946,9 +2310,9 @@ "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "d3d1985a8512a777f4738794f03380c077f3c84594acd1aefdf22211a59bfba8", + "sha256": "ed65c5d1379b83e560f4fa24ff1f51887de783c7e8f3fc329b717a14700a859c", "type": "eql", - "version": 1 + "version": 2 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", @@ -1974,23 +2338,23 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "a8e0ecc0284175dcd1f57756fc03477d87d4fecfee80397c01f1490f52ed9b66", + "sha256": "576f44e57f57bcc5a260380c704c2c253b9f8fcefa472e5b4339b0e138c9112b", "type": "eql", - "version": 107 + "version": 108 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "99fb4c9799becbcb9eaf99a6b9a8c21d74415d2a27790c5e52798590df285c07", + "sha256": "5b1155c651c8cba197b8525501a76da112e7941889fa0a8b5b0e27caf1105deb", "type": "eql", - "version": 108 + "version": 109 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "3df00646c1daf36bfe94ebc4e75150121576981877aeb3d5d6c17fc11bb6fb2b", + "sha256": "990b886b92cb87798246a158ca46bf1b61eb1ac09d2e34d3744dee85300efb72", "type": "eql", - "version": 106 + "version": 107 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -2002,9 +2366,9 @@ "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "ec686d5f69b96d1fefa61938439b2be36a7d62b6ec9a5277294454b9d21f090c", + "sha256": "c231805a854c98302dcc5c774688217904e4960a000e193bb04158fac9a0b743", "type": "new_terms", - "version": 5 + "version": 6 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -2016,9 +2380,9 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "5c400174c733b48a59cb568595f1b992705473fc85698c48a5006a770c99ddb6", + "sha256": "264b7c418b25b248ad38bc172ac651d639a720a652fba044e02596419b889ef5", "type": "eql", - "version": 107 + "version": 108 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -2036,9 +2400,9 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "bbe5ae3b8a285ccb4c26e9a210d268966a5996803f54073b159507458f48ee7b", + "sha256": "99db297efd0e9e1c456c8eaddae105366196554aa82301813ee7a4aba19911cd", "type": "eql", - "version": 104 + "version": 105 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", @@ -2050,9 +2414,9 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "f29f06799ee7b6289d2ba8ffcd4908551efa144016a33e8eaa47b94f2370da97", + "sha256": "b10222772b435ef7d9cf4dfa4b50a492a7900cc176fdf11e901159c69d62d2b8", "type": "eql", - "version": 4 + "version": 5 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", @@ -2075,6 +2439,13 @@ "type": "query", "version": 104 }, + "48f657ee-de4f-477c-aa99-ed88ee7af97a": { + "min_stack_version": "8.3", + "rule_name": "Remote XSL Script Execution via COM", + "sha256": "19961cd9171e3ef5204e98314fdf573ac68e28c6ab1c5e91b5f1d71c919ea7db", + "type": "eql", + "version": 1 + }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", @@ -2085,9 +2456,9 @@ "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "eb9cf2a2df73743755d82c3d776ba2ffd7f17ef1773d32e3def0fb2fd6c50988", + "sha256": "333fc1776029a4e23f0c6df62d3370c335760abb4aa501be982831e2e71341d7", "type": "eql", - "version": 3 + "version": 4 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "min_stack_version": "8.4", @@ -2108,30 +2479,30 @@ "4973e46b-a663-41b8-a875-ced16dda2bb0": { "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", - "sha256": "b29c0c0615f8cdfe01647648349a42a142712d082bff8d986549ed7b4956c0d7", + "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", - "version": 2 + "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "0f03ec3cf254ddaf2fb897452085888fda783e6d3394923b04505ac968500d17", + "sha256": "37099aca1b1bdce63f77e75103ff60a0d61898af8036c43eaa2f4d672bd326dd", "type": "eql", - "version": 2 + "version": 3 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "4fbdf3bd4ba58ab5558059d13784148c40f700fc0726f9df2b88d02dcd301625", + "sha256": "599489e4a0c4b02a7717d928a5881b6281d1362970adb1074d5362a33c45444b", "type": "query", - "version": 102 + "version": 104 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "8a3258a1db6d86b53f94205b24cc30b455508da7981acdcec7d44df34131b612", + "sha256": "42573412f6b2d0083dfd8c9fc5945f654cc818d4cea60939076a6cf5967a2b7d", "type": "eql", - "version": 2 + "version": 3 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", @@ -2142,10 +2513,10 @@ }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "min_stack_version": "8.3", - "rule_name": "Potential Reverse Shell via Suspicious Parent Process", - "sha256": "92665fcb5d7f54bd4531c913e33b9cd692aa92cf5ee65941d69c6c2a0aa5c260", + "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", + "sha256": "c71a551642317ffccfbd85c414cc689e14d3a2deea09251aa8ac9895963bb204", "type": "eql", - "version": 4 + "version": 5 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", @@ -2168,6 +2539,13 @@ "type": "eql", "version": 1 }, + "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Writing Data to an External Device", + "sha256": "89378fe5870a5d6d2e956d464c722bdba8845495639f22082cb218dfe9c4fbf0", + "type": "machine_learning", + "version": 1 + }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", @@ -2178,23 +2556,32 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "c39e8202c6aa104cacdbd7f152f22e19bf2a5e6da299ab44464663d93c2175e1", + "sha256": "0ad222085b8d696dd4df1055275c7fc6989064286734182865e772fbd8aac3c9", "type": "query", - "version": 6 + "version": 7 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "06f6564ca643c6532abb1cdaa5f7b63ff7967e301d6d4c7fb188471da4c03140", + "sha256": "d4da085e36a4b1a471325f7c34f050486db0b5900302611bfda3c2d85305028b", "type": "eql", - "version": 3 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6", + "type": "threshold", + "version": 105 + } + }, "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6", + "sha256": "c7f85d799207c359e3f84f41c0473858bad893198ffa7f3d8327d153eb0b422c", "type": "threshold", - "version": 103 + "version": 205 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", @@ -2206,9 +2593,9 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "2f90c20e27fe53e8d19581d66c3700d0e607aeca622f713dffbee083470bdbf7", + "sha256": "cdad95a52719987cf204d9063951cbe05b1e08a28f4d91b3cf8f5d5aa48800d2", "type": "eql", - "version": 107 + "version": 108 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", @@ -2220,44 +2607,53 @@ "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "d6507cd42eb759b19bc5d612350f5fee646f38be4fe487ebc7121f70ac057de9", + "sha256": "ed16c35ba79c045b3ae6cd2406ac39e5ee143767a2f8ae4a0a8ac6fb738b16c3", "type": "eql", - "version": 5 + "version": 6 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "93581d9de1f2ecba9d10b0b90fc4802c633fdc525cef6b539c20da833098dbfc", + "sha256": "05f50e5500930fb6e8ed1646e88db67b24a1430eb1fb589bb9976dd052f0f44d", "type": "eql", - "version": 106 + "version": 107 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", - "sha256": "3b2f5bb731e55d25192b6e44e2f8e2453784591f0b9be178867e26489f73a694", + "sha256": "41b132e87127770048e08a8d65fb63fd3180ee0d52ad69f666c0abe1ab20afd2", "type": "eql", - "version": 104 + "version": 105 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", + "sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd", "type": "query", - "version": 104 + "version": 206 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "d133f690998687a3f65041994c005ecd901bab7ac5c3504f34a8f2ca04cadbf5", + "sha256": "1717dbef17fd0507846473218f580ffdf11e5ba35497e2beb391d506d75289dd", "type": "eql", - "version": 105 + "version": 106 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", - "sha256": "97b96679737e68fddbc04eaf2cdb22e954524acf822f15557c9d8e5de258496c", + "sha256": "2c0c54011671e9e99d2654529520c137188a4bbcf8feb0beb28c196f0525d88e", "type": "eql", - "version": 2 + "version": 3 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "min_stack_version": "8.3", @@ -2269,9 +2665,9 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "b62558c73fd30587a1edeb6e1a36b61cf60b19070b994e570a3f4bd023f546cd", + "sha256": "d098bba4900b382c6cd742182baba85a01b2337fbd4ff36da2bc9fdf6b408b7c", "type": "eql", - "version": 104 + "version": 105 }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", @@ -2290,30 +2686,46 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "f944e30753df250f1d624c4c46ee0f5a60767d7d8ebc3d60af90ca77daab281d", + "sha256": "298d203a01db67a0653310a2665d704f81a97db74789cbe2fdf632ebe7574155", "type": "eql", - "version": 105 + "version": 106 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66", + "sha256": "4111de70c21f8c5461da2f1b30720b9621c857bc8526b1d4e71bcc108b95c928", "type": "eql", - "version": 1 + "version": 3 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c", "type": "query", - "version": 103 + "version": 205 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "6290c2857ed36cf95047595761ef26fcbd7d025b31e56eb92016113c70d70c5a", + "sha256": "0076c9eafb579f6fb93d35d66309a205f3d0912a8b7a302ea2e917e5e04dd2f8", "type": "eql", - "version": 108 + "version": 110 + }, + "5297b7f1-bccd-4611-93fa-ea342a01ff84": { + "min_stack_version": "8.3", + "rule_name": "Execution via Microsoft DotNet ClickOnce Host", + "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", + "type": "eql", + "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -2351,16 +2763,25 @@ "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "7602af82bdc7fc4962b73c42451d8500e779a3338601f49ea49ea9398fa49613", + "sha256": "1fcaecb0c8b60fb9a393726f18411473957d935a9676d2e345121e3f07f5c200", "type": "new_terms", - "version": 3 + "version": 4 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907", "type": "query", - "version": 103 + "version": 205 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "min_stack_version": "8.3", @@ -2372,16 +2793,16 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "0b1c1a7d64bb481a68482e3f0954ce0e55df7b26264d3e358b230b5670c80094", + "sha256": "ddf1b60a6118bc0c50833a0f13cf88f3838ebcc8f0f60d42ad91bad81b07634d", "type": "eql", - "version": 106 + "version": 107 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d", + "sha256": "8ece78d3d804106f87c006fdd8a027648880338a3a56c52e28a393d8f18aff40", "type": "eql", - "version": 1 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", @@ -2393,9 +2814,9 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "7abb75759648c733f8e4b39c60bd36ccf8b431e1fd27097e698724bc33d34e4b", + "sha256": "b7e3322f384197eb6eef899fcd0dab3032f80e4707f62046e423fe51756f2e9a", "type": "query", - "version": 4 + "version": 6 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", @@ -2414,9 +2835,23 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", - "sha256": "9dac69f62fd68c1763945debf1417db0fdb9384fc3200ddb80fad443bd7ed6fa", + "sha256": "ea9ce524558142eeb928e1288478f70877cf06e9b9344009845c85f0257329e7", "type": "eql", - "version": 106 + "version": 107 + }, + "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { + "min_stack_version": "8.3", + "rule_name": "Windows Installer with Suspicious Properties", + "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", + "type": "eql", + "version": 1 + }, + "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a Host", + "sha256": "79250afad59e7a34a28a1fc9474da4c16612e73c23032855389f019fa153add8", + "type": "machine_learning", + "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", @@ -2449,23 +2884,32 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", "rule_name": "PowerShell PSReflect Script", - "sha256": "443cf0180678565fae6aab3fde53464a3fc6f6161ae2be250b2f29d08e3b1071", + "sha256": "8d62732e2d51a8e4d9e1d8705b48e82534ff622c316a9d2a217a2765ae84e988", "type": "query", - "version": 107 + "version": 108 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Execution of an Unsigned Service", + "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", + "type": "eql", + "version": 2 + } + }, "rule_name": "Execution of an Unsigned Service", - "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", - "type": "eql", - "version": 2 + "sha256": "296152e8a3e1843df21e40fa6f6a05608b99b61ab06971ab80e9a3a35910b4fb", + "type": "new_terms", + "version": 103 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "57330331ceebc76d136b11b9a4aad37660028ce464cffd529f0023ad0a5399b2", + "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", - "version": 103 + "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "min_stack_version": "8.3", @@ -2491,23 +2935,23 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "a7e0bdbc40a12b3b58f7280e709f99363b6d9362d4c0c91bcd926dddeeb4f466", + "sha256": "88ae25fb6df6c66c976902e4f17c39a5af63c217bb4aa298e7f898b003fa484d", "type": "eql", - "version": 1 + "version": 2 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "2d5a85f9eb6c5a5b43149530f52a4cdbf41fb37009ec5f4ea1d572b4a127ba99", + "sha256": "f0914d5ae89b3f5372c087cd0c5983df509da91941322047aaad22d445cfb577", "type": "eql", - "version": 106 + "version": 107 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "52fb0f6d5a15c031eb4ebdbb0bf86a16bd94e0aa3d3d4b9c9adb3a7019c79cc8", + "sha256": "a599e437dfc14b51f8ce6559e5595673b50429581388655e03d7999961ec6cf6", "type": "eql", - "version": 107 + "version": 108 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -2519,16 +2963,16 @@ "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "f0754341d4737d98a3c079a807fdf62a876b2b9e37eddce760a538f8e135a3fb", + "sha256": "a9ada00d22041e1fc97021dfb923cb62dfcafe5849324b04534f7c53a65903d4", "type": "eql", - "version": 106 + "version": 107 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "1bba6c4e3e7130c507b6c959c9bf912171eb7a1f1cdcb69a6cf8bfd62e4ebdae", + "sha256": "04c918e4a5b742f9df828e957a708565731d36df760ffbf94a8dc6f331539f7b", "type": "eql", - "version": 107 + "version": 108 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", @@ -2545,11 +2989,20 @@ "version": 102 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS CloudTrail Log Created", - "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4", "type": "query", - "version": 104 + "version": 206 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", @@ -2561,16 +3014,16 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "8438243430e0b6983e01c039dfab3f7c01111a8f9939c207ef853108907a977a", + "sha256": "21be01742858a1db7d297c338482f5a580a441699ca10d99874c0c9e24f50499", "type": "eql", - "version": 105 + "version": 106 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "64625792213f211d0d8a873101fb7b1569da37e5179bd5f201b2c1f3101de821", + "sha256": "78ec1a1157f2afe9c030908365e734669d12f566fd1992245244eb8def7d4314", "type": "eql", - "version": 3 + "version": 4 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", @@ -2582,37 +3035,37 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b13fb00b87c825ce3f05d65295a6b1a47fec6d46d5fe22058d8b8b164a678d0b", + "sha256": "b57b1fa14361058e949c21cc407ad8e502c41b901b2f7b5a575ffb1d9fb460bd", "type": "eql", - "version": 106 + "version": 107 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", - "sha256": "2b30d95ee6d6e8bd0ff888cc6609d826560591c7ef3681b5ff74f49f7cc3c888", + "sha256": "cca11b1e320068fb951e6be8baba9a7f49cfef803b613bda1ccaea95922f3a00", "type": "query", - "version": 105 + "version": 106 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "1e8068d0ce5b93ac8598cc1cc3ce47385a0c99bb43ce15b27a514542fe4adb39", + "sha256": "484f49639b052fc38d358f83984230e1a524fdb9d60f221668f8fe55b7485c50", "type": "eql", - "version": 2 + "version": 3 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", - "sha256": "918d3ee72f0aba9e0a382045c846e04f7dc5e1f942954c077aa639794e809917", + "sha256": "fc50e7f8c6f1d7485f6a164637556906c3e3711d037759cf0c017826a110f6f3", "type": "eql", - "version": 1 + "version": 2 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", - "sha256": "2869df554ce679e32f42029716b74524aa21ea7af2872e5a42c55de5ceb7835c", + "sha256": "10846cbf0f6d148b7fc84a14a62f5bc1b44382eda5971d84a0747c8788c93721", "type": "eql", - "version": 1 + "version": 2 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", @@ -2622,25 +3075,34 @@ "version": 104 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b", "type": "query", - "version": 103 + "version": 205 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "3a1daa97831ddf8f5bfcf84698ec8b3deff467d7f1b8770467a760ef355c1a5b", + "sha256": "1021f7351d5cc378ded4585010e7ba4b057a05fab6f8e42157c6facf422bf6ec", "type": "new_terms", - "version": 6 + "version": 7 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5", + "sha256": "c29613a13876b018582e791f2843e3b12181e06c36266665efe4711c52945024", "type": "eql", - "version": 1 + "version": 2 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -2652,16 +3114,16 @@ "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "361a074bbb3fe56ec08c1430d5b5afc021f8502cb133c1066dd514bdacb37f06", + "sha256": "a4e1f03bf2a4863f8922d20b5ab31fc5fffea4c27e35c47e61634b492dba558e", "type": "eql", - "version": 3 + "version": 4 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "e4796e4f5ba9178180960e592aae8dc79ef969e7b951f2c2fd73dae57d29406f", + "sha256": "c0fd1feebe4607a5b3db25454a63e6c46b64c43070cd6c6487fac57bfd65b53c", "type": "eql", - "version": 104 + "version": 105 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", @@ -2673,9 +3135,9 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "5ce8477d708b49d1d38136f4638bc5596e3190949b3e561ff84d56566ca96f61", + "sha256": "421c30d4787b7da4cf4496d67084325210732a4aa854db2cac54429840f044c7", "type": "eql", - "version": 5 + "version": 6 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", @@ -2687,9 +3149,9 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "865a5c61d5bdf21e24120d3b8eb35f82a23286c618fc795dce353491987d04fa", + "sha256": "f99460b7128f713e96cead9f3d34cf8f19a3561e1e51d86f60ca99f765d7d93e", "type": "eql", - "version": 104 + "version": 105 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", @@ -2758,9 +3220,9 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "a5b4ed432583abe86a630527b3026ee3a58f9813bb11868c628754ff414a3c7f", + "sha256": "123e32643dd7c3052f52ade724c9c93759749d28fdb592ffbdccec9ea688d1a2", "type": "query", - "version": 109 + "version": 110 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -2771,9 +3233,9 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "71e064cd3cf1b8dec498d3e054d70ef2121113be1ed24c7e7df6af3b4324f27e", + "sha256": "ac85da0bd50146a9acd21f199d77bcce98ff857d768071bb894e26118b26a239", "type": "eql", - "version": 107 + "version": 108 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", @@ -2820,9 +3282,9 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", - "sha256": "f383ad8f33cab31ab158968663de5ed3d540de9a4d8d0fa4a578e19a35ed061c", + "sha256": "e3f5d9f1f0b68b258714156bb2d6558011e846b2fad3ad178aae26c7c0f6c81e", "type": "eql", - "version": 105 + "version": 106 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", @@ -2841,9 +3303,9 @@ "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "60780f0b220f4de4cccb01815d9585964f3d68bd515b23972bc9b881a36a70ea", + "sha256": "b277d6162b8343013d1498f692467e7cec38348da2ba5058ed1fd1aebcc40eaf", "type": "eql", - "version": 1 + "version": 2 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -2877,9 +3339,9 @@ "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "0711743a3e6d25d5ac8089b3f5e996420a92bc7890f358cb4e23c6d88ba9a615", + "sha256": "2d5c0856617f70f9ed2e5835c40dec8304a2290370c5414745c806fde457e583", "type": "eql", - "version": 3 + "version": 4 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", @@ -2891,16 +3353,16 @@ "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95", + "sha256": "de1f883c87b1b49ce0932b95dd0ebaabede9c5334b6f18e2222c3fc3a5628bec", "type": "eql", - "version": 1 + "version": 3 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "5c79e5fd80163228473cfe5b3b9f61d769a063b5c1372c30928ab2ac59cf0525", + "sha256": "4c82661472cef610b0a6a24cb6654b4f11869bf4401d656eaa68c78289f66302", "type": "eql", - "version": 107 + "version": 108 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -2919,16 +3381,25 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "9546181bdfa5b6f04cab84f0ff7afdbbb59ef9ddeaf7ec7bd070a1808324473d", + "sha256": "086eafbc984aa6480575297071ab4771019ea9eda87148c85e6f2eb40f7674f0", "type": "query", - "version": 6 + "version": 7 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", + "sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede", "type": "query", - "version": 104 + "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", @@ -2938,11 +3409,20 @@ "version": 102 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", + "sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de", "type": "query", - "version": 104 + "version": 206 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -2953,9 +3433,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "9654e394fb859d2bbad76596b99237d6f8d15e70526ea0e27711c4c3a680ae77", + "sha256": "21d744da94221fcbec162dddffe8794cefc8fd26321d770c472b47093b28a95a", "type": "threshold", - "version": 108 + "version": 109 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -2966,9 +3446,9 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", - "sha256": "97b4abe585f163bcdacc300075bf109cb501bbb7d1de90a2cdbbbdfbbd9aef97", + "sha256": "ad88e3a9101259f72a383196f9f474fb828e8dd2b844ef2d61caf9fb986c1028", "type": "eql", - "version": 104 + "version": 105 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", @@ -2978,18 +3458,27 @@ "version": 102 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", + "type": "query", + "version": 105 + } + }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", + "sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8", "type": "query", - "version": 103 + "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "e56e2b209388ed0f70bed3114edcf6d49e83959d733faa801e3d40209152e327", + "sha256": "6223d04f4e618351c760d259ecbc3d42c8da22daf8a9bd58497228d13304bab4", "type": "eql", - "version": 105 + "version": 106 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -3010,30 +3499,48 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "46775980c978cd2264682497c62b9788b6645243da6b72ddaea5bbff0388df3e", + "sha256": "ebde0ba43ed054967c01f489cd5f2e45b9dddf79b90351dea7e78c5a5c2edfe6", "type": "eql", - "version": 104 + "version": 105 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146", "type": "query", - "version": 106 + "version": 208 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "53f09e4c88d11c0ee66a186321981f9eb31165d73f02b874ca0edbed0844c6da", + "sha256": "0feac3bd75fcc2317ee0e9e91a7f2f35063c0c5a62b5c47076545998d3ac12ae", "type": "eql", - "version": 105 + "version": 106 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "type": "query", + "version": 5 + } + }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1", "type": "query", - "version": 3 + "version": 105 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.5", @@ -3059,39 +3566,57 @@ "version": 106 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3", "type": "query", - "version": 103 + "version": 205 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "f3cb8da67a3f69a296b53078b37707f55d6852f4c55b7bc074af6e3ab2a01d20", + "sha256": "d6efd876704aecbc61e32f00bc3fc87660de3486490102dee717f3cafeef34ee", "type": "eql", - "version": 105 + "version": 106 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "a9f9aa8f746871dce91e94cba6697e908e9901be0135860b93572a5904b48b04", + "sha256": "2094e45cb6acf5514345f45de5980fa93856dbe2564c14cda824cfb92609fe9b", "type": "eql", - "version": 107 + "version": 108 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "7541e1a6c4200e3961759f0cdadba8eaf793f6e3e9e28dbb34af84aeac5f6fce", + "sha256": "36f237a42a890a47fd41636119b3f4f6cb483699638fa0570dee4cc7ba1bdd6e", "type": "eql", - "version": 1 + "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Sensitive Files Compression", + "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", + "type": "query", + "version": 106 + } + }, "rule_name": "Sensitive Files Compression", - "sha256": "24dee3257162b876da6487b55368acb5b38040fd13ce5d0bc7511b0644e2ae48", - "type": "query", - "version": 105 + "sha256": "2665a4bfaf61af8a5033e6aff2ce6950c77fc795eb6bba42b6b5064e84fa8841", + "type": "new_terms", + "version": 206 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", @@ -3110,9 +3635,9 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "dfc2fbc0fab4f84b16f206bb71d59399a3450f5cec21c03daa1fd20d529ccdc9", + "sha256": "6c77473acf3dec0fc8fd9d0d2f4a0de620f5007008bf85e61fc224fa1087b63a", "type": "eql", - "version": 104 + "version": 105 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", @@ -3121,6 +3646,13 @@ "type": "machine_learning", "version": 107 }, + "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { + "min_stack_version": "8.6", + "rule_name": "Potential Privilege Escalation via CVE-2023-4911", + "sha256": "0a052fad94510f59c9efd5ffec0901831516c7ea937d86e3532157035d86466a", + "type": "eql", + "version": 2 + }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", @@ -3138,9 +3670,9 @@ "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", - "sha256": "c6d5f04ccbfb426d106eb3b03f1f20727722e4632689aec4bc9fc11edb28bc83", + "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", - "version": 105 + "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", @@ -3152,16 +3684,16 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "b93d5773dd0b96dd6d8e331197414f59005cceea42ac2b114e9ace428ca9f578", + "sha256": "bd57722ccc74983106255532898917957a55fafd6c760af95a0650a7a93e5ef4", "type": "eql", - "version": 105 + "version": 106 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "a1ae41d886802078065a49f39d3cccfc069db47d2052a9950cf0421e0187f9c5", + "sha256": "7400438cd326b5fa5137479c92eb2898c709c3338757a1f631cb718de551a551", "type": "eql", - "version": 106 + "version": 108 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -3172,9 +3704,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "9b7a1e7596fff4b6d70a4064cf79f606a74f214ef8aeb4234c08842d2c1b910f", + "sha256": "9a958c72f2b71c12da6147cd83e0d798c1e114b362bd577b27f0f921b0a13465", "type": "eql", - "version": 1 + "version": 2 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -3205,18 +3737,43 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314", "type": "query", - "version": 106 + "version": 208 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Config Resource Deletion", + "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Config Resource Deletion", - "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9", "type": "query", - "version": 106 + "version": 208 + }, + "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Execution via MSIEXEC", + "sha256": "934721c56a14fb6b1ea672f4cedb14eae9cdafb81a8e9bf35230f542a602740f", + "type": "eql", + "version": 1 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", @@ -3240,11 +3797,20 @@ "version": 3 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", + "type": "query", + "version": 107 + } + }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "565a3a934715161cb1c0bd792b9694d865ccf9df21072f0e5bd381c947ec3b65", - "type": "query", - "version": 106 + "sha256": "72fea82152115abc97ea9e34b7e9bf40be8d5af11313625404f62dfcf5ca61e1", + "type": "new_terms", + "version": 207 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", @@ -3256,9 +3822,9 @@ "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "44d4d66dea85165137a0d3f86d314a56a2d3de07baedee209e53118864691402", + "sha256": "d442a3b1c1b313c54f0bad14de16f98cd68ae8ada5e87c99e8c29aabe78f2d7f", "type": "eql", - "version": 104 + "version": 105 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", @@ -3268,11 +3834,20 @@ "version": 102 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", + "sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354", "type": "query", - "version": 104 + "version": 206 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -3280,6 +3855,13 @@ "type": "eql", "version": 100 }, + "72ed9140-fe9d-4a34-a026-75b50e484b17": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", + "sha256": "76e9e3a24fb77bafe1b7f5cf3730c4024c32f045d85de9b0857bae7a8716b2df", + "type": "new_terms", + "version": 1 + }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", @@ -3309,11 +3891,20 @@ "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Sysctl File Event", + "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", + "type": "eql", + "version": 3 + } + }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", - "type": "eql", - "version": 3 + "sha256": "cdae4cce31893b3eb3b3a3472011e11708a7c9e1fcf4410bb88e18a099a94361", + "type": "new_terms", + "version": 103 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", @@ -3355,16 +3946,16 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "d9c6faf2209cb103e1548a470602851ee01bf04f32853d0ed66169fff27e6847", + "sha256": "d2e53030dc005a302f0b5bb530360d58ce429809a0ed1827bc6d5b89de8b351e", "type": "eql", - "version": 7 + "version": 8 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "1d6f35d59421b7701973891ca9762db50f5dd087b3feb9e9e384ee927cdf1d36", + "sha256": "a3536eb13408e7fc538952bee75a1362e3be277b14f1edc18c2f63fda3f5f08c", "type": "eql", - "version": 105 + "version": 107 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -3376,23 +3967,23 @@ "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "22a26a54eac8e02ec72df44fdc261481315acec5885269f591cb5fd1c46d1825", + "sha256": "ee743b928b61e259c3e46fce5b16400121f6ef6affdc122ea1f47e9a199900ea", "type": "eql", - "version": 4 + "version": 5 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "9f85a8053c83ad71c8540a2261dbbc4708549c0de62c0edd99395ef16629cc9f", + "sha256": "df53ce37b5877a6a26f2e5b7d78d60000048e5eaaa3d152f9ead7ef84d700a19", "type": "eql", - "version": 106 + "version": 107 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "3efbbd83a3795ef381af8172fedb8209e077505df6097622483b3275060f8be7", + "sha256": "863f7c79c8a07dbe9f74d5dd1ecb111219e82a3039c95ed6d56de800b2e13c69", "type": "eql", - "version": 106 + "version": 107 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -3411,9 +4002,9 @@ "781f8746-2180-4691-890c-4c96d11ca91d": { "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", - "sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2", + "sha256": "e8646ede4715b107643a3098b6e032965f664c38e7341d9d0519b3a8510d2fab", "type": "threshold", - "version": 2 + "version": 4 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", @@ -3439,18 +4030,34 @@ "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Spike in AWS Error Messages", + "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in AWS Error Messages", - "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", - "version": 106 + "version": 208 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "7b5df51876d17dc0c0978937514b88e32fbb68a471fdbfb5063af60dff04d178", + "sha256": "11fb3b45a1ccc2f104c91997fb4d7093f0efd5534a8f2048aa90ef37cc11f6cd", "type": "eql", - "version": 4 + "version": 5 + }, + "79124edf-30a8-4d48-95c4-11522cad94b1": { + "min_stack_version": "8.3", + "rule_name": "File Compressed or Archived into Common Format", + "sha256": "ffc63f1281c5daf184121bec10deda5e91670f64baeaf47d2ee5336649bf2c78", + "type": "eql", + "version": 1 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -3462,16 +4069,16 @@ "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "3b177629deb6dd64f254d75b8a4f6b71879b7ff33a70d98c184560b82d67277a", + "sha256": "51fa21c1094b9e214686668956d499fc25f19607d7b1a93fc094aa557eda00d7", "type": "eql", - "version": 1 + "version": 2 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", - "rule_name": "Potential Exfiltration via Certreq", - "sha256": "4ef6fb0e47ac848843d2ae9b37eacc7369390ef5ff45ecf6b0a374512ad4b979", + "rule_name": "Potential File Transfer via Certreq", + "sha256": "a74b9849420ed6b7c23bfb51caa8aad585cf535af48bfd4c11d1d7a16c8560f8", "type": "eql", - "version": 4 + "version": 5 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -3489,9 +4096,9 @@ "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "1dd7950a241f5882d741236f88f61e5ed12437aa16756ce984ee04379e2dcdf9", + "sha256": "d77a6da669fbbb4406a59bd7061baf788f0f9fef20b43321c6fcfbb00a24690b", "type": "eql", - "version": 2 + "version": 3 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -3500,18 +4107,27 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85", "type": "query", - "version": 103 + "version": 205 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "ef35c00c8f160878d607315e984c5aecf6fdca5f36d9db988c29e88f76d00270", + "sha256": "a02a471585a3b5aafa89be56f312db81bad278d8eafbf7463f73cfdebf9c80bb", "type": "eql", - "version": 106 + "version": 108 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -3568,44 +4184,78 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "0d2e9303095644cff713d6cc47bcea144b0fb7d1c8c7026f50ac5fe60e57228b", + "sha256": "c2521f557370eeadd9f5ab09fd706593451e0f0d44ffcb8ee63fd21ec3433862", "type": "eql", - "version": 105 + "version": 106 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", + "type": "eql", + "version": 1 + } + }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", - "type": "eql", - "version": 1 + "sha256": "bc8f0cbcbf93a3e84a7433c81cb3997b0f23a2d6b1a1df28e3828f0fe7f1ac50", + "type": "new_terms", + "version": 101 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "27bee4413c109d7597639a0a60acd77d395ddd1b5f6f4fb09c88c026a699a4fa", + "sha256": "94cbc646d3a0879e403b786c2c25535db4aebbd67a3f041a8bf43b206462b8f2", "type": "new_terms", - "version": 5 + "version": 6 }, "80084fa9-8677-4453-8680-b891d3c0c778": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Enumeration of Kernel Modules via Proc", + "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", + "type": "eql", + "version": 3 + } + }, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", - "type": "eql", - "version": 3 + "sha256": "bcfbab89662a36049bb509952b29602fc3e552bc91c4f6851b183c3881604f7b", + "type": "new_terms", + "version": 103 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", - "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed", + "sha256": "892abe65dfb4e821b001077e250ac7619928c9a8ba796ec314d9abce74c74ba8", + "type": "eql", + "version": 2 + }, + "808291d3-e918-4a3a-86cd-73052a0c9bdc": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", + "sha256": "e07fdca00c03cede7dcd07d161752b6a5fa31a5987779dde490803e67071a0f7", "type": "eql", "version": 1 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual City For an AWS Command", + "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual City For an AWS Command", - "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", - "version": 106 + "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", @@ -3614,12 +4264,19 @@ "type": "query", "version": 101 }, + "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Extension", + "sha256": "1eaf7e432793ec71e4a6924b5d8e2f95b30b4b8042f8aaeee43aed4a24050610", + "type": "machine_learning", + "version": 1 + }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "9c2f8341e807bf0b4ffeb0c40e797f72dbdd69d65b6db7a2a6c7f8ee10708d7a", + "sha256": "cd1b53b5cd9aacd751ae8801be77543c716fd21c184f54a776380edd185e8275", "type": "eql", - "version": 106 + "version": 107 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -3630,16 +4287,16 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "663ce5702cc916692b79094fb7c51dcad29f2f3687f8085ce74b1f699219eb1e", + "sha256": "2a512f65b3d174a8cea1e7d419378e4fb46c850bc7e3a514409f3093ae43dc92", "type": "query", - "version": 108 + "version": 109 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "82f8ec9cc22e111eb627de7426fd99dd540938ed1e0d05473496ea18b54c3cea", + "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", - "version": 6 + "version": 7 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", @@ -3651,9 +4308,9 @@ "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "fe6cc04fb2e612cab72a6d221db5f03f75c1706355d5c212987ec5de3a2bd3a6", + "sha256": "1dd8817884ca577039baba5ede3be91c85119efdb77f580810c95c223816ebcc", "type": "eql", - "version": 2 + "version": 3 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -3671,9 +4328,9 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7bd7ca6309b09a6218ebe05322f1477ad28327ac05cab27ae9eb18267b43563c", + "sha256": "73d35f95e41d651a5e75315cd4b570345c8cc6334b9dec7db8adf08b57f52e30", "type": "eql", - "version": 3 + "version": 4 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", @@ -3682,12 +4339,19 @@ "type": "query", "version": 1 }, + "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "min_stack_version": "8.3", + "rule_name": "Potential Upgrade of Non-interactive Shell", + "sha256": "3ab2c7dffde8d59a7f0d31f4f475c98f5325a94adb789cc4096286ae73e70e36", + "type": "eql", + "version": 1 + }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "5a3c03a8465e2bd10bcaa699af57945cf361af5ca71be2662c20a6746a5b4960", + "sha256": "ff711eea051615cadd16874b875330acd62c7aaf5fb10e2db0d36c1f15799712", "type": "eql", - "version": 107 + "version": 108 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", @@ -3697,53 +4361,98 @@ "version": 108 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", - "type": "eql", - "version": 108 + "sha256": "4c25f7bb1a234052d7a5d22439a6b2ceaf128a052fa764bb1d97b0d2b5928eee", + "type": "new_terms", + "version": 208 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be", "type": "query", - "version": 103 + "version": 205 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Deletion", - "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32", "type": "query", - "version": 103 + "version": 205 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Deletion", + "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Deletion", - "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383", "type": "query", - "version": 103 + "version": 205 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", - "sha256": "d5d6fbfe8a86e827bb1f10589d9e8427ba7b59bea1a9707d4359dce6fee0929f", + "sha256": "39e477f562630dea0f3f3b68106d7c699a87d2ab0764247fc8bd0de442981f4f", "type": "eql", - "version": 105 + "version": 106 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "70ad3fa6e2da2dbfbb0211d6835e6657b3c156417e77b4b8bc33b86c2b69167d", + "sha256": "16de3139ef7299ea2fe5dc3a874629d2079e250e032b7f33ce0250a0b0e931e6", "type": "eql", - "version": 107 + "version": 108 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719", "type": "query", - "version": 103 + "version": 205 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -3773,11 +4482,20 @@ "version": 104 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Potential Sudo Hijacking Detected", + "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "a4206f33521819d8d7d53c211f4469b0f4d29f90aa303e728ed6c22f0acd0ec3", - "type": "eql", - "version": 2 + "sha256": "90ab70272d3bdc85151e9bc2add9998f4819f17d13c282ae54e1b047602630e4", + "type": "new_terms", + "version": 103 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", @@ -3816,9 +4534,9 @@ "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", - "sha256": "ffb3cada9e61abf88edfa4d4994b68df4a1c86040ef6344d2d5d2f2fb67e0bb2", + "sha256": "bd4e75d4bef5c733959b047c5466da2d7768bfe892c50c383b7d1d46240bcaf9", "type": "eql", - "version": 2 + "version": 3 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", @@ -3830,30 +4548,48 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "a577ac9fcb46e067f2d9a3dfa1c37db43cf2b744e0701387877da0d9321a209f", - "type": "eql", - "version": 104 - }, - "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.3", - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", - "type": "query", - "version": 104 - }, - "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "min_stack_version": "8.3", - "rule_name": "Suspicious JAVA Child Process", - "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", + "sha256": "7b1e58c15587d23240b63b8dfd696aa8de530ddbf9be2c384db2620e9c9bd4ad", "type": "eql", "version": 105 }, + "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", + "type": "query", + "version": 106 + } + }, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b", + "type": "query", + "version": 206 + }, + "8acb7614-1d92-4359-bfcf-478b6d9de150": { + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", + "type": "eql", + "version": 105 + } + }, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "9bcba792d96bb90055853bbc119cff04fa2f40b46cd77ea9bab938ab61056074", + "type": "new_terms", + "version": 205 + }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "577175231e8722658399f535dfe19fa278f3082f7848da4f3c65e77ee2a4118c", + "sha256": "e79736c160e70b66e87aa690264e4ebe08b958d00a2d8178556525a57dae4323", "type": "eql", - "version": 1 + "version": 2 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", @@ -3879,16 +4615,16 @@ "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "02d2aa1ce970af5dbef685da0cfc51fc7c9d7c82932b13d1b19d8f212a1ba2de", + "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", - "version": 102 + "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "ab6f219326b46640112b041c6a7ccdf841ac3d4aa2e364b34b83a7869e301b70", + "sha256": "32ad67514f438b6e30f64bc4b7b4eb626be6582afadb55c240c2e4efe9b7cfcb", "type": "eql", - "version": 106 + "version": 107 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -3907,9 +4643,16 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "930f4fe60fcf470067a75a7d6d9b93d3c80d639fcc0cf248c30c9f41cb98f70d", + "sha256": "65f9ce05fea76a9a8692e1eab5ad90ab0904e79b28d0c1f077f5d0422c5a2098", "type": "eql", - "version": 7 + "version": 8 + }, + "8d366588-cbd6-43ba-95b4-0971c3f906e5": { + "min_stack_version": "8.3", + "rule_name": "File with Suspicious Extension Downloaded", + "sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b", + "type": "eql", + "version": 1 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", @@ -3921,9 +4664,9 @@ "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "9037dac927b76a260a11026c3e893f9f85b2d876004b652c74c012bb7fd93f5f", + "sha256": "bb4dbd0f9903378286cb13efb8f0898a00bf9c3255d58d6a58bd21da8997c9b5", "type": "eql", - "version": 105 + "version": 106 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -3949,9 +4692,9 @@ "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "818146f18a2aefd065739007ec4aecb61ec4257169528b7a6605b7ff0cc0758c", + "sha256": "d3f17c275351dce43dbed1904257d053abe2a6e174ec12f91eabbc40236f918e", "type": "eql", - "version": 104 + "version": 105 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", @@ -3976,16 +4719,25 @@ "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", "rule_name": "Hping Process Activity", - "sha256": "63e23dabfb3a8535a41b473614245b4df52a35760e0485a6e9f51e55d61615f5", + "sha256": "bca55701a9d9f3c48b1f6d8df6d0672f880ea5e8f7b5252ada7c42af6458802c", "type": "eql", - "version": 105 + "version": 106 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14", "type": "query", - "version": 103 + "version": 205 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", @@ -4015,11 +4767,20 @@ "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb", "type": "query", - "version": 103 + "version": 205 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", @@ -4045,9 +4806,9 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "50456decf4f398de8c09653fee24f7eb07663c151fc638cfd1cf7c9584cb733b", + "sha256": "7fe6f04aad78c1165b56664a6e2b192a15c39a1166c3b1e24906d7ff5b91b1f0", "type": "query", - "version": 5 + "version": 6 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", @@ -4057,25 +4818,52 @@ "version": 7 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8", "type": "query", - "version": 103 + "version": 205 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Sudoers File Modification", + "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", + "type": "query", + "version": 103 + } + }, "rule_name": "Sudoers File Modification", - "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", - "type": "query", - "version": 103 + "sha256": "6a1a6b3462c4ea5f0ea3cf546684745e51efb7a52a094227c5b2f06e6fa90bc3", + "type": "new_terms", + "version": 203 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454", "type": "query", - "version": 106 + "version": 208 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", @@ -4108,11 +4896,20 @@ "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", + "type": "query", + "version": 104 + } + }, "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", - "type": "query", - "version": 104 + "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", + "type": "new_terms", + "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "min_stack_version": "8.3", @@ -4168,23 +4965,32 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "8de6fbce3edd5e6599051a15eae6429056bb4fae367b3cd3572ece577dc22e1b", + "sha256": "951d63b6557d5c3fb3f155e45999afcdd86791f7d830c26ba0ff9811f2ae0367", "type": "eql", - "version": 106 + "version": 108 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Create Okta API Token", - "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", + "sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9", "type": "query", - "version": 103 + "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "ac2aae146b439c128acf93b6d08c60c1297ef5ce278baed0d2463fed3d109553", + "sha256": "6adb4dbd03b3b5ad0d5318c1e811e89f0c4c560f2c2cac1830b06b007134962c", "type": "new_terms", - "version": 5 + "version": 6 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", @@ -4215,25 +5021,43 @@ "version": 104 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS SAML Activity", + "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS SAML Activity", - "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d", "type": "query", - "version": 103 + "version": 205 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", + "type": "eql", + "version": 107 + } + }, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", + "sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d", "type": "eql", - "version": 105 + "version": 207 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", - "sha256": "b15108fed1be29ce5b03c10684a269ab6930c9843c4bae00bf62059a1151250f", + "sha256": "f82a785c120d52dcd2123f3f9d2f8b7503d520c6ea8e46fd74f310e8a53dd233", "type": "eql", - "version": 107 + "version": 108 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -4244,9 +5068,9 @@ "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "23394ff5cf8c8530a51e90c2408d609e7000dfbc5dff8724cb29cb88e63a6d09", + "sha256": "cd7035a0017aa4b845f94e3aa665721e72fe1dc535c9cfb0867b4657d8a94ef3", "type": "eql", - "version": 3 + "version": 4 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -4290,11 +5114,20 @@ "version": 102 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056", "type": "query", - "version": 106 + "version": 208 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", @@ -4310,6 +5143,13 @@ "type": "eql", "version": 104 }, + "994e40aa-8c85-43de-825e-15f665375ee8": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "sha256": "58480532047dc1a5936dce3ece1b30e3643a68fe8d7e2343553008f2a0deab18", + "type": "eql", + "version": 1 + }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", "previous": { @@ -4322,9 +5162,9 @@ } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f", + "sha256": "7fa3b7d91df0f6450cc6e044925c196edd851d9521299f034167bb892f7b39dc", "type": "eql", - "version": 206 + "version": 207 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -4340,6 +5180,13 @@ "type": "query", "version": 102 }, + "9a3884d0-282d-45ea-86ce-b9c81100f026": { + "min_stack_version": "8.3", + "rule_name": "Unsigned BITS Service Client Process", + "sha256": "095fc86e65f65030c66df81f286788b89fcf9160e7970ddbb409cc824fc40fd2", + "type": "eql", + "version": 1 + }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "min_stack_version": "8.4", "previous": { @@ -4352,37 +5199,44 @@ } }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "3d1c09ba378537737bdaa3bc2bbd9e9934d0e9cb7d50f63d33192377614d85f2", + "sha256": "353e07144858914694113a7e9d29ad53687500c1f60ed7c8b02d9c7cd634bad3", "type": "new_terms", - "version": 106 + "version": 107 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "e8cc9a60bbe510d51bd3ad134669feb9e5cb0fa08160bf27530801138c60e882", + "sha256": "51c78c6f9a1af947f778a0b2a2529d21600647e60786daa70a728174bf87c995", "type": "eql", - "version": 105 + "version": 106 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "b2540b2ad922ec95cfd386da0ca9a614f308ef3262066028d23296d5db87509f", + "sha256": "26cb627c3803eec6cbcf9455a27b56c29ea1f604049232bf2d38813ad0a4d87c", "type": "eql", - "version": 105 + "version": 106 + }, + "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.3", + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "152428a8434461254fd0550779e5f2ff7b906cf27f44936e520219c6c117b748", + "type": "eql", + "version": 1 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "9a25dad4f89fd07ae509d365c90397c70feb22604338c0b57ed2c43b1498c278", + "sha256": "cb0771065ca25ee179d357d9e53676141cadf572ac31da5e1f00739f85cf36aa", "type": "eql", - "version": 106 + "version": 107 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", "rule_name": "Hosts File Modified", - "sha256": "acfc1d0db0cb1de8a27ec3ec15a3eea599e9644d56ab8bdd06c8678cf1bcee3f", + "sha256": "8f40a74de7484c5086f69c398cea506911f52935e23a27e3a229439cd5c239ce", "type": "eql", - "version": 105 + "version": 106 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -4394,9 +5248,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "33745d6764626a4ad4ef565c71d285cde7a74a318e9622b428483457e45f612a", + "sha256": "594410ed9a140c2439264f3ef7b7bdefa77862b3865a95a2287437856a533db7", "type": "eql", - "version": 106 + "version": 107 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -4421,46 +5275,64 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", + "type": "eql", + "version": 105 + } + }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", - "type": "eql", - "version": 105 + "sha256": "fb85a79f99efb89bc92c481ec8e21aae037df490635821d5df16cac9b83057fa", + "type": "new_terms", + "version": 206 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "69d5523e4e8bd2c582f84b522bfeae185f56d87fb6f698ba3afd72a1722cfc9b", + "sha256": "dbebd3797fdae528a8f432c6944ceb33a92b55466eaf7317a77173ea58b80423", "type": "eql", - "version": 106 + "version": 107 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "b2885bccbc5942ef0b109aafd8cc5f741f11e702109bfce0e316e37c66a45f02", + "sha256": "8cbc8f08a554be1ad891d12df42a2e456602b21ce9cd4062d2c6428a80073296", "type": "eql", - "version": 107 + "version": 109 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "0cc7ec48190d68c5dc8c36a1df944b214f34c599d8425caea77fbf4875d98ff1", + "sha256": "4cf250c89befd6b335e6331fbef794c1a969a7f19e203c159d5a84ff3c54f944", "type": "eql", - "version": 107 + "version": 108 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", + "type": "eql", + "version": 106 + } + }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", - "type": "eql", - "version": 106 + "sha256": "1f08334b425a0821c64aa8990f322f468a74567993e56ff39c7f39cfafb44380", + "type": "new_terms", + "version": 207 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "776c171ad88eb90cf08b8fe5b55c1f9f0303df9c61b6c977aa899c710d7f8348", + "sha256": "b8d4e0bd773e95d96983fb5724ac1405de2f5d491182e453c4dad3af9efe10cd", "type": "query", - "version": 104 + "version": 105 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", @@ -4479,26 +5351,35 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "18494ff65fcc575a4fe46296da4e82fca3ba729b57b21a1c55c64d81a92924ed", + "sha256": "e2394c0d8724d9f2e57e47f5a50cbfa2d1645b0cf50c8bfce9ce10a202bcd28f", "type": "eql", - "version": 105 + "version": 107 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "183d1fd02dc0fd574742ae54310b3f93b10da3165738e77fcdf8b460f5f7cdac", + "sha256": "dfd7fcad40d953ee8a27b0f8510db3d0cddfa4002ded1a896dbc248170dfb00a", "type": "eql", - "version": 109 + "version": 110 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", + "type": "eql", + "version": 106 + } + }, "rule_name": "File Permission Modification in Writable Directory", - "sha256": "479f3fc53ac311718ff6affc4889eeca57ac3a34bf6f10026bf60b6b8e915eb8", - "type": "eql", - "version": 105 + "sha256": "ed6e7a8e67076b9fae1eb03416f9d82c7915364a8c9a99c7e4c881a6ce932693", + "type": "new_terms", + "version": 206 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.6", + "min_stack_version": "8.9", "previous": { "8.3": { "max_allowable_version": 204, @@ -4506,12 +5387,19 @@ "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", "type": "query", "version": 106 + }, + "8.6": { + "max_allowable_version": 307, + "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "type": "new_terms", + "version": 208 } }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "sha256": "7cd0da2ff3ffb5eb309da5e40ce09ddc719465d69413af21aaa59db60bf569ea", "type": "new_terms", - "version": 206 + "version": 308 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", @@ -4520,6 +5408,13 @@ "type": "eql", "version": 8 }, + "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { + "min_stack_version": "8.3", + "rule_name": "Potential Privilege Escalation via Python cap_setuid", + "sha256": "410784f14d7bf622572e26d5b794f3a0c338a4e24485cc977afa183933cd6ba1", + "type": "eql", + "version": 1 + }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", @@ -4537,9 +5432,9 @@ "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "9bb73e05248278c13545b111daf70f5b5b00005f472f1ad9a8ad6dc03a7e4bb8", + "sha256": "6a172e2439d747140f251d1d0e83f556e72ae03725f37bc760d2d4d7649fdd03", "type": "query", - "version": 105 + "version": 106 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", @@ -4572,9 +5467,9 @@ "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "189260746002bccbe31e9ddb6ba7e60d701a6e651c5d2c19efe56cd242c954af", + "sha256": "cf164c11d3db4e9e02e907d5c0aef8c3c4aadaf05536b522bb73c9ab3bdb9560", "type": "eql", - "version": 105 + "version": 106 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", @@ -4586,9 +5481,9 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "7e9cfb7b511344e897eac5189a53654f476437241ee0c37b7600d2e033787ca7", + "sha256": "914a39f1d00e560fa0f28e8f67e57de3b2185f0ca422a7b395f419f567383cbe", "type": "eql", - "version": 105 + "version": 106 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -4609,9 +5504,9 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "c26cd675ef7730a95a52e92c7f5bc7144cda7fb9f14144470c96dfe93b036da2", + "sha256": "af441eec9facc8c5fa2be399c6d3a1a2383c4e937ccfca40f8455f599c5d8a24", "type": "query", - "version": 4 + "version": 5 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", @@ -4643,9 +5538,9 @@ "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f", + "sha256": "e730ecd8da8e472be98472039b0fe0d3367e75d284b97851b915bac433ec17c2", "type": "eql", - "version": 1 + "version": 2 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -4655,11 +5550,20 @@ "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a", "type": "query", - "version": 106 + "version": 208 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", @@ -4678,9 +5582,9 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "e666ba885bd91e597b94e0359330e1a02c9c59b43b48de599aeb78a26c32aaa9", + "sha256": "1b6c475dbb4e03fa67ed24f68234e633e098831572aef47077e72f8dfe6957cb", "type": "eql", - "version": 107 + "version": 108 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", @@ -4689,6 +5593,13 @@ "type": "eql", "version": 104 }, + "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "8.9", + "rule_name": "High Mean of RDP Session Duration", + "sha256": "da4ddd46272515e372d09fc4efb2d394cba8e054b0ce9bd555adef5a46d91034", + "type": "machine_learning", + "version": 1 + }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", @@ -4717,6 +5628,13 @@ "type": "eql", "version": 1 }, + "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "8.9", + "rule_name": "High Variance in RDP Session Duration", + "sha256": "c0f263fa0ff7d4e7f059e58dd7c707af412cdea311f76703517ce73844a1267a", + "type": "machine_learning", + "version": 1 + }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", @@ -4749,16 +5667,16 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a73b1eb6b898a6e001202a04fdd4d7fb4c5b701bd88b68a6840f1260506c2e68", + "sha256": "7844ec8c0187f632d87cd6160ec6fbfa6968c5922e6a07bb3372475a6a1b5f31", "type": "eql", - "version": 104 + "version": 105 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "c71a73ed18eadca2c2c082ca0d511745ce0960e56167e3ed59116b93c8b2720c", + "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", - "version": 103 + "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { "min_stack_version": "8.3", @@ -4770,9 +5688,9 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "6fee4b495f1438946191a9f0a5d18e790c19b3546166fa5dc0126a090844c515", + "sha256": "14e5354aa44af54186285133c4a176bf18dd8b2c1dc22c1555bd658ca8aed767", "type": "eql", - "version": 106 + "version": 108 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -4791,9 +5709,9 @@ "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", - "sha256": "9a5ead5bb94a1738ef4a8c11bf9f462123e5bd0feb2519f360526765f6f33939", + "sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac", "type": "eql", - "version": 107 + "version": 108 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -4812,23 +5730,32 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "afa61dc2050d9a7e20f967d9211dda8036fdb4e3a725c969403a31ceb567ba33", + "sha256": "0f822c4116038c91a881a8b8eda9017407457ea3498167dea425f66a161a9067", "type": "eql", - "version": 107 + "version": 108 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual AWS Command for a User", + "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual AWS Command for a User", - "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", - "version": 106 + "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "85b49fc5764428ee7a05cbde9d031b14b82f8f03824c859dd58ec45f25c8a091", + "sha256": "48bea2e83f12194db4f91544236e97199adeadca828f332acc5c23da9f9d9206", "type": "eql", - "version": 1 + "version": 2 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -4870,9 +5797,9 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "bedefb3843c8bab1185b36e6c8ced6d50cf2e073be5c0270dbbb3b1b27cb89f9", + "sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23", "type": "eql", - "version": 104 + "version": 105 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", @@ -4906,9 +5833,9 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "908f3060b0c4846a176cfe5ad9f2187c6bf23b09a3fe9833680c524f1b6ff701", + "sha256": "8f2f24455938fb5ea09e3ec7060090a25a269b6678183d00e54a6414e2df8ebf", "type": "query", - "version": 107 + "version": 108 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -4920,16 +5847,16 @@ "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "bb502a72d7b3be033796d389420de72438dbe7d44096a7b8203caa4e7676c5aa", + "sha256": "8cd17e47485c9d7340c14995dfe14cbab3158f5de2a29a64a2e8281e1236dc66", "type": "eql", - "version": 107 + "version": 108 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", - "sha256": "d195fb652753fee06135cdc5beb9fb65b68e7895f9d0fc199416d9269c88cfd6", + "sha256": "0e8ff7a50a23c7b9726e3fce8b74834754c75e9cc4bee21fddbb73b9acde9c43", "type": "eql", - "version": 1 + "version": 2 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", @@ -4941,16 +5868,16 @@ "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "26c12224f8502e7fc4d3293edee86f433e5a9232a94ff1ed704587a9c019e640", + "sha256": "aad1b5a33619e6512fe65f763c3bf7efc9340426847e9521aef7529ed7b820a1", "type": "new_terms", - "version": 3 + "version": 4 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "e5a5fa72494c859d18b55169da07fe4402091b7b621b55c497592cfe489f3912", + "sha256": "c98963d7bd8d88e43392beedefd94e993beba6832757358cbd30700b542c64d8", "type": "eql", - "version": 1 + "version": 2 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -4962,16 +5889,16 @@ "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566", + "sha256": "3efeb12f45b961fb82eedcf17858c557c07e762e46a219c0988da6b4f07502f2", "type": "eql", - "version": 1 + "version": 2 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "c8effdbedbafb2183ae0ebbed62b0c5290d8157f7c6cf64bd0f9df02ee6c44d7", + "sha256": "0bf1a7ca2b5b8e549eb4f67bc0935b74f3f25e139397f7b67fa4657d5d14de9f", "type": "eql", - "version": 2 + "version": 3 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", @@ -5003,9 +5930,9 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", - "sha256": "6b2beff828f6dbc7e7b0afe03808d0497daf94d97c99afb60f9b17cf65c76cb9", + "sha256": "eb213dc86c103363dad386e08221252c0d865f53b002b17fe09c36adb6631ec5", "type": "eql", - "version": 1 + "version": 2 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "min_stack_version": "8.3", @@ -5045,9 +5972,9 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "850a993dfb6eda757d5c928ddadb446f3ff907e01cc16c715a8274d56c405fa0", + "sha256": "aa283cd7566eebaa3e98d93024a7710926f4bb3dac4a46d97159d6377f7ee8ca", "type": "eql", - "version": 106 + "version": 107 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", @@ -5064,39 +5991,57 @@ "version": 104 }, "b45ab1d2-712f-4f01-a751-df3826969807": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090", "type": "query", - "version": 103 + "version": 205 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", - "sha256": "893d370046656c516a3d5b747ce8da0049fd49f11a14f685446dca5ada7bcbcf", + "sha256": "dd7f70787fff06dbfcdc2556f504ad62feda00ed2e1fa5d7effab3a1be31482f", "type": "eql", - "version": 1 + "version": 2 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", + "sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6", "type": "query", - "version": 104 + "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "933503a94667894209a5220b062fe18f2b075d5c0c0608171a3843cb264a4429", + "sha256": "c7deb10ffa59d05fbac1583edf15b565628cec521edbceb803f9b15c91400b85", "type": "eql", - "version": 2 + "version": 3 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "7cf6587d86fbdfeb3c6513bb3c44adaeeff97831c1afb84ac5aa64fb8ed82298", + "sha256": "9f885fb22e236780df0b7209ca3b783bbbe19b69cd285ad32c8a24005ef089e7", "type": "eql", - "version": 106 + "version": 107 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", @@ -5115,9 +6060,9 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "e83adb7abd38295e3992be00556c51a2381e38d400259af3c0d3ba9e3abe6d2d", + "sha256": "9fbd1c201afd94da2c21d31f6797a87f96380d6cb42df20af7ad7205ffcd05ac", "type": "eql", - "version": 106 + "version": 107 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", @@ -5127,18 +6072,36 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", + "sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6", "type": "query", - "version": 104 + "version": 206 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", + "sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3", "type": "query", - "version": 103 + "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "min_stack_version": "8.3", @@ -5171,23 +6134,23 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", - "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac", + "sha256": "34a4c6af4a0abec4b49761fd3410e7ce843a7cd917929009de084283086d34f2", "type": "eql", - "version": 1 + "version": 2 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "26cd2a27b9188a119adafb00b69b4b1d5bbcbc60cfd384696c76c50e54bcff5d", + "sha256": "c5173c7852d544188783ae8ad6360a27c4dc99276c45cd65516112c2f3a24d88", "type": "eql", - "version": 105 + "version": 106 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "ed8d32c408ebce2c38e498744b7f617e2d9a2b9a38139ad447c1c100b5844299", + "sha256": "975875643c470662591b7f92890f341af3ec06aaec4d7462d89b555ab08b31ea", "type": "eql", - "version": 106 + "version": 107 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "min_stack_version": "8.3", @@ -5213,16 +6176,16 @@ "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "e1cb2516563dc7520157b944c165c5b231a99942cdfcd049f1ef1d3213bf29d1", + "sha256": "24e7bf23a9b423f0ee788a5d588692dbf4cb7d5a9de672b20db27deb8f3d05fb", "type": "eql", - "version": 104 + "version": 106 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "6babe233910e674621a9caa5ef06d385da6c55f240c6169e50263b3ee15edba5", + "sha256": "c475fe418c9dd5c5b6a357004cecb0f77ec12520167b225d77dcb436eb1094fd", "type": "eql", - "version": 105 + "version": 106 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -5234,9 +6197,9 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "2a8f252310526865a66c043e6fce6a09a1f3bb3a23422aefd2e8782f9f25e414", + "sha256": "4e20d0099e197e490805cd6edaf652e4b192b1c67cd120c9583905ac929dd623", "type": "eql", - "version": 104 + "version": 105 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -5246,11 +6209,20 @@ "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba", "type": "query", - "version": 103 + "version": 205 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.3", @@ -5262,9 +6234,9 @@ "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d", + "sha256": "2425bfd3bc54bb802d2646cf30575b92b6de9f1768145e593f3640a9ed1ba450", "type": "threshold", - "version": 2 + "version": 4 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", @@ -5274,11 +6246,20 @@ "version": 102 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Root Login Without MFA", + "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Root Login Without MFA", - "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07", "type": "query", - "version": 106 + "version": 208 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", @@ -5304,9 +6285,9 @@ "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "92fe0317a5bf0deb57dbfeb4dcf96a13fa08ceb7e7a1e13f9f597eb9c94cda33", + "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", - "version": 4 + "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "min_stack_version": "8.3", @@ -5322,12 +6303,19 @@ "type": "query", "version": 104 }, + "bcaa15ce-2d41-44d7-a322-918f9db77766": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", + "sha256": "d63cfc91fa9b1bb91389ee64591686beafffd9f84982f78f22bcb437826e0180", + "type": "query", + "version": 1 + }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", - "sha256": "3d79fb63abbf974eea35cef0856ce1d799ebbf00d6ca813fc02212c88846a9b9", + "sha256": "e5e42d67e73c95c6558439ae96e3515ae045a15b9cf9349190ccb7ce1a5c3258", "type": "query", - "version": 109 + "version": 110 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.3", @@ -5346,16 +6334,30 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "3e3047dea72b0e200ecac521c558ec5c07205beb177d77602fbbc760d41b3735", + "sha256": "95a277633a730cc76f1f3dd56678af752c6c0b11bd0eca7bf678452efce66786", "type": "eql", - "version": 1 + "version": 3 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "9788f2c111d4f8b2f3e0fe64bf7ae3413c3de45f8b030b8611720aac8b263436", + "sha256": "49544ad4d81ab915c9fd10546c551f9f16cd314bd11afeb39e1d8c2f92d61242", "type": "eql", - "version": 105 + "version": 106 + }, + "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", + "sha256": "5ae04a57c1b38d7e0492041cf77dd21a4f39bbab4665de39b2fa755166cf1faa", + "type": "machine_learning", + "version": 1 + }, + "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Directory", + "sha256": "4ed65ee17e5e6a2e754823609612583d0e717cead35636b67da9903546d4f880", + "type": "machine_learning", + "version": 1 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", @@ -5365,11 +6367,20 @@ "version": 106 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Restored", - "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e", "type": "query", - "version": 103 + "version": 205 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", @@ -5378,12 +6389,19 @@ "type": "eql", "version": 2 }, + "bfba5158-1fd6-4937-a205-77d96213b341": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", + "sha256": "5b26c01b0dbc43669ecd86f7d517896559de73bb5322add585302163804f23fc", + "type": "machine_learning", + "version": 1 + }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7571708ba81c1f4c57ec35169932645127841b408009313e8f8135ce0047e56f", + "sha256": "48070e6a13563fdaf1cc968863fd1afaf4838e89682767a13af387858571ec00", "type": "eql", - "version": 107 + "version": 108 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", @@ -5395,9 +6413,16 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "1d3f46774fa553848617bda8c90e9702f60b946e32a622488929bf506f40dae3", + "sha256": "b703ff542262a1b01cce71377aa6ca313a15387e5c2b986a98d27924ecb2782f", "type": "eql", - "version": 105 + "version": 106 + }, + "c0b9dc99-c696-4779-b086-0d37dc2b3778": { + "min_stack_version": "8.3", + "rule_name": "Memory Dump File with Unusual Extension", + "sha256": "d6064fcc8c3a68d8ecb16d376fef04353be367b0f897433bc82b46a6569f0eb5", + "type": "eql", + "version": 1 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", @@ -5409,23 +6434,41 @@ "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "2195aa627b79e9257bce750418e362ba1b3e8afcb6b58e9fb9d1e7cb145e171d", + "sha256": "6ce01312cbd857003098b2b0753a1ec8356a09b109b020cdc2ab369082ffbf8c", "type": "eql", - "version": 3 + "version": 4 }, "c1812764-0788-470f-8e74-eb4a14d47573": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8", "type": "query", - "version": 103 + "version": 205 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "type": "eql", + "version": 1 + } + }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", "type": "eql", - "version": 1 + "version": 101 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", @@ -5493,9 +6536,9 @@ "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", - "sha256": "56bf9828457985099728e90f9046ec5d50ba668e7b911712abec96eaa3d6d665", + "sha256": "16cd4b39c59281f69407d88a2f0bbadab7ac9d1408c9e0c6e5400a92f25898d9", "type": "eql", - "version": 2 + "version": 3 }, "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.3", @@ -5514,9 +6557,9 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "0754db6d4f87bf3dbed35d286a6313e4dd925ac4336f36dfb27b7f5fdb03719d", + "sha256": "0710403c8d618e71c165c7b8eb160bed4e6e439b9d9c904d9b5af9aa9be9588e", "type": "eql", - "version": 105 + "version": 106 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -5528,9 +6571,9 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "cb3a027cc825279d6ff1f31d31e63c3ce7ddce596ef2f0427bba0b3ffeb643f6", + "sha256": "9703a3f1e0ab87710ef683407452f9491a296fbb9fb21c1270d48f28039443a0", "type": "eql", - "version": 104 + "version": 105 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", @@ -5542,9 +6585,9 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "8cf1d0abaed488b33ec708608f9a5ba1ec08a67e664df9145ebf1800d2701adb", + "sha256": "a6a7a57d9d9f53170aaca5b52e31fa5987b52d03287d461f35903e7a94f3c49e", "type": "eql", - "version": 106 + "version": 107 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -5567,18 +6610,36 @@ "version": 100 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", + "sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f", "type": "query", - "version": 104 + "version": 206 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", + "sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32", "type": "query", - "version": 103 + "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", @@ -5606,9 +6667,9 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "26595f8f9541a3d4b1ce33b50669bb5f8e620a68f9063c6c07ef0eef97271b42", + "sha256": "462a72ca87888591497bad05c41909f4b20b28e8be26d594546e563f178bd706", "type": "eql", - "version": 106 + "version": 107 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -5627,9 +6688,9 @@ "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "128d5682da221aeffcdc38868dcaa75f484b8b2411f3c7a2eae8881f6e41e861", + "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", - "version": 102 + "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", @@ -5654,37 +6715,37 @@ "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", - "sha256": "c3dac03f556b89e88f147aed56f297767b5d0a9110cdf317ef621032e9aae739", + "sha256": "e1789b1189d98d1c0dd3e14aef3df67f994982f60001aab44c9785a8bab9bb3a", "type": "eql", - "version": 104 + "version": 105 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "6c899bbc998ab3b8926434c8838a0567b3e9daab6ac42337689be77fa96f4c6b", + "sha256": "d16c1571f4991e8257fc206ff4e66afbab3d14994c0b00534ab992bd948529be", "type": "eql", - "version": 5 + "version": 6 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d820917b8b190283034007d7db8ba4ac8ef6bd82e9d9d8a9f256976c0fa2623d", + "sha256": "1d46ce00fb8fa393c7b0122644b3e0a367bb2ce96e5767209a2e3f101b552c52", "type": "eql", - "version": 107 + "version": 108 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "dfa996d0665851351caf73bca44bb19208342678d818aff4cc77005b0092ca67", + "sha256": "a2dad54c59a4df7c89caa5e11af6d9425532fe82b26ef1c0588f4d7b835f71ec", "type": "eql", - "version": 106 + "version": 107 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "1d87bf52f955049b3e1220e65c69464b5d6c21362b8762df0b397d412b1537ee", + "sha256": "a5e68609def010ae4cea5c31b29ec9740ce793360ee2d0c8995ce5c93286ed58", "type": "eql", - "version": 3 + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -5703,9 +6764,9 @@ "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "94fbed29b0713d997d61575509179ec8a3aaf3580b4c2661a2a42ef4e7e50aef", + "sha256": "cbc3f42a7bcbc551c94f4915bbf898b210a4747c014608e39f4a2a12501d1682", "type": "eql", - "version": 4 + "version": 5 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -5725,9 +6786,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "16d0a37c5a0c0c7de7d31afcbfae78cadf1e1c87ed0eb87f347d3c6a44b1ae00", + "sha256": "5f9d6f9747305b2a9d59f1c2bb89ec12610c7490a57f1ccb24de236f42839d9b", "type": "new_terms", - "version": 209 + "version": 210 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -5765,6 +6826,13 @@ "type": "query", "version": 104 }, + "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", + "sha256": "6be5434c46b81e00bf29a5b3c08506bb5fefe291cfffe9666594851bd81d5007", + "type": "machine_learning", + "version": 1 + }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -5789,11 +6857,20 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", + "sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c", "type": "query", - "version": 105 + "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", @@ -5803,11 +6880,20 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", + "type": "query", + "version": 106 + } + }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", + "sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f", "type": "query", - "version": 104 + "version": 206 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -5825,9 +6911,9 @@ "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "06acdf4e4f36bf4d2e6e3f0d424b81264fc5262e89ef2db45dae483404ffce09", + "sha256": "7b92ec2e6a2290e49b0168c42351731b5a03508b59cbed4d0dd0127f6ab8ded1", "type": "eql", - "version": 105 + "version": 106 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", @@ -5837,39 +6923,57 @@ "version": 1 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate MFA for an Okta User Account", + "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", + "sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf", "type": "query", - "version": 104 + "version": 206 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Okta User Session Impersonation", + "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", + "type": "query", + "version": 107 + } + }, "rule_name": "Okta User Session Impersonation", - "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", + "sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7", "type": "query", - "version": 105 + "version": 207 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "8dd2c1c84b0fc1c9b380b49e3924012569cff3b126def7c497f092a63a057eff", + "sha256": "cb505702842c62bf14d57f592e2da9b793b4232bb14db1dc07ce3ee3dca88d72", "type": "query", - "version": 5 + "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "e749e4d6a22d62d8564e36ff162cddb0342351273f7ae3f914f1781e4a6757e0", + "sha256": "2abbf97e21f0197022ef274f0c7aaf1326d6645628f586e1bbc7e75dd4bf6dac", "type": "eql", - "version": 105 + "version": 106 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "d72e36349524c074ac047562258cfce46273ee90ce47cd6b4d7bf6583558e37b", + "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", - "version": 103 + "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.4", @@ -5887,6 +6991,13 @@ "type": "query", "version": 205 }, + "cf575427-0839-4c69-a9e6-99fde02606f3": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Activity by User", + "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", + "type": "new_terms", + "version": 1 + }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", @@ -5901,12 +7012,19 @@ "type": "eql", "version": 108 }, + "cffbaf47-9391-4e09-a83c-1f27d7474826": { + "min_stack_version": "8.3", + "rule_name": "Archive File with Unusual Extension", + "sha256": "6fc1f60a466fb9cafbd52086ffba78f59d5ba996e6301563a12e09205b193e84", + "type": "eql", + "version": 1 + }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "62f6fba73304cb10595e4f538a276512b741e0029111d72087049753411361eb", + "sha256": "400a4ff29714ab2561d2a413f2f404116f8fe1067cb678f32d05daa204ee8316", "type": "eql", - "version": 6 + "version": 7 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "8.8", @@ -5918,23 +7036,23 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "ec194a453dd3acbf1dffd2e109f77cbbc7051fdfa80409701304809ce5654c43", + "sha256": "c206dc61a4c2ae0d1f412a63bcffc413ce72bb6de4d4c86c670d3c066dd1662e", "type": "eql", - "version": 105 + "version": 106 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "da76314ab374a374b6612165cb783f7d25612235f241744919149cb6d00af975", + "sha256": "077587010e7e194ab3d20e99f290d4a9813931fa3a4c1f4bd01f8a875b0a274a", "type": "eql", - "version": 106 + "version": 107 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "58dd943fa10c8dc106e4f561c6a5755a555d7dd1116a6e82a02678f77be051f4", + "sha256": "bcc8530ce8aa18d4efbc4c6c3709e6308cacb5408758aa722e8a7c30dca27138", "type": "eql", - "version": 2 + "version": 3 }, "d197478e-39f0-4347-a22f-ba654718b148": { "min_stack_version": "8.3", @@ -5959,16 +7077,16 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "73e5e14af530fc3c0ff1a000b5b32bc30097045766025d6a7240dc31794faa7e", + "sha256": "52bed23a3a6e8d13a93def9f01fc3f4de6094c7cbd2b55eb10637d659a556dd1", "type": "eql", - "version": 106 + "version": 107 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "14a1097b7ee5b1d73b9dd86e6c7326ea224be99416f6f947d03c968723badf8c", + "sha256": "8ab63a4886ad2a72cbb3c1b616a3f462298f7cc74de154654064c96b035d343e", "type": "eql", - "version": 107 + "version": 108 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -5992,11 +7110,20 @@ "version": 104 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", + "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", "type": "query", - "version": 103 + "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "min_stack_version": "8.3", @@ -6022,16 +7149,16 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "a386bc0314dc614dce09c10f76f04e239c85cffb8e305a1a37dc816fe8d0e466", + "sha256": "f5c2c64714e19cc3d5437f0039d3baa83ae9aa8fd5af5dcbd5b6655156c6e9af", "type": "eql", - "version": 1 + "version": 2 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "351666156e6d77e8c9c195311cd45ba8c31b9e97ea0fd1503c48c15a776c1918", + "sha256": "3c95ccf8f67a50f03ac411052a8a2da81d0483634ff43782835b20a2eee49275", "type": "eql", - "version": 2 + "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", @@ -6041,11 +7168,20 @@ "version": 104 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", + "sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a", "type": "query", - "version": 104 + "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", @@ -6055,11 +7191,20 @@ "version": 105 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee", "type": "query", - "version": 106 + "version": 208 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", @@ -6077,9 +7222,9 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "123d0512c4355047e5fc67352b4ba9a65b7bd2515f7513409a0276a2414ce054", + "sha256": "e19053836a709b816dc84ce8ced0ba8168ccd803d9c077141d35d3a0679f082f", "type": "eql", - "version": 6 + "version": 7 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", @@ -6098,9 +7243,9 @@ "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "e5a39260fe132207d539ea518652001adadec98c3bbe9ddaff7d7e7b0e673a57", + "sha256": "be781bb6c568f6e3338fe8a85423ad7b2bed67673e71befc92524a519bf29602", "type": "eql", - "version": 106 + "version": 107 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", @@ -6119,9 +7264,9 @@ "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "23765713e12113ddb20663a6b929ed119d23f9106635fe4998ce6990dd394d97", + "sha256": "c44526d9a91a1fd72764e5afb5ad5c6a99415825884efde1516a72afc827756a", "type": "eql", - "version": 107 + "version": 108 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -6140,37 +7285,53 @@ "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", - "sha256": "a83fb857076a042c492fa2affcd6539e499ab52f67b336d1e47854a3e23a13d3", + "sha256": "3816b9a7c573ec98806b9cc52fc8e281cd0559c43a7c7fce52c60f63c8a8eb2f", "type": "query", - "version": 102 + "version": 103 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", - "sha256": "c5ce1faffd687af5423c4bad755a8d5d182a6c74fde100b49092067a43111e70", + "sha256": "aa9adda1ac8dfe9c91e83c7741e046bb1553fda39b7e023d70c58e86fa012e11", "type": "eql", - "version": 5 + "version": 6 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6", "type": "query", - "version": 106 + "version": 208 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "638b38528aaa1d362737de0ee6c2c010913f44c8179a2ac928dbedc9473049f6", + "sha256": "8442e8cbb922de0f547562302bde985f3e343662547902ae1b3ad81817991b14", "type": "eql", - "version": 106 + "version": 107 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "8376f30e9c1abd833e2b39242f04ba3f296fe0f2c153e3feda039d77b73ffd6f", + "sha256": "2102e91dda480a20979378bce1f9ce3243b54439c2ac1961ad795862fe956692", "type": "eql", - "version": 5 + "version": 6 + }, + "da7f5803-1cd4-42fd-a890-0173ae80ac69": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", + "sha256": "fd0e143d1c3b97e0d0f5faf7c2574e3a80509905c6d6564cc15eadb49661058d", + "type": "query", + "version": 1 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", @@ -6202,9 +7363,9 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "b778970c6f8ec04e3dbcf851f3553e72e19420cdbf1181efb2a8d360ec4f49a2", + "sha256": "f4edf52a98e83ab010153cdffb7067610814b7fcc0414bb5e8dcee5bf8d0d3ff", "type": "eql", - "version": 1 + "version": 2 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.3", @@ -6223,9 +7384,9 @@ "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "f64d050e90fd179771887f3ae5d3ecdd6d9c638572d6ecb8cb513fddcd5496df", + "sha256": "e4df76ec7b5df39c1969e559f1a6da83fa65a42ce5b7d0309e543137738e41d0", "type": "eql", - "version": 2 + "version": 3 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -6236,23 +7397,32 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "df8a6dcbb0d179f109c810c8d819c0e48c62c8280a2c6196d00ba951b1486594", + "sha256": "d42dea9b11a475bd84ac3a3f2a7556720a15eec56ff92168c87ed712e91e8908", "type": "eql", - "version": 3 + "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "2ec7ebca77b749a6e4385185ffcbdbc71c0c3a9600b7599bb7b6462c6d84a28a", + "sha256": "068a220aff143f426d32e403fb68a377e120e375f657e84217c3eb4f399e543f", "type": "eql", - "version": 106 + "version": 107 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Country For an AWS Command", - "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", - "version": 106 + "version": 208 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", @@ -6271,9 +7441,9 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", - "sha256": "cdf948e2a073cb6319fa302acc7b0fc8a11477746659be69cff0c9b7860403b8", + "sha256": "6ff22a837ebb0aeecf0c358977ae439d6e5c872e7d002a5a13622b00638fa02a", "type": "eql", - "version": 105 + "version": 106 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", @@ -6285,23 +7455,32 @@ "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "0ec40a6ffaf45b8d92ca2b163b9aabf5bde1a0fbb801e77ab931a36571295fb1", + "sha256": "e1754aece5bca9de7f3a297a9ebcfde160a4c48fdba1042e55a503c43af3a487", "type": "query", - "version": 105 + "version": 106 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Query Registry using Built-in Tools", + "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", + "type": "eql", + "version": 2 + } + }, "rule_name": "Query Registry using Built-in Tools", - "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", - "type": "eql", - "version": 2 + "sha256": "1ce3bd6bd9c91187b6ee6941b8adf51a9bc72c81dd5bcc25fe03bd480f1122eb", + "type": "new_terms", + "version": 102 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", - "sha256": "e35873c4c836a040e5f558474966d7bd8b224776bcebab71cd3db0279a1068d2", + "sha256": "ad243a0040fbf3b300d379e356e6d3eb10209a2132942ac2f4e08962b1e8bd79", "type": "new_terms", - "version": 5 + "version": 6 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", @@ -6320,9 +7499,9 @@ "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", - "sha256": "3e2bd8f151616982adae6eeff5311584831c41100d151b5327e9a39e41354ef4", + "sha256": "4c3f4b8b94c3abf50fada6c7104d6fcffb6126ad61920c98219b8ca2d1f7af00", "type": "eql", - "version": 104 + "version": 105 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", @@ -6346,6 +7525,13 @@ "type": "query", "version": 100 }, + "e00b8d49-632f-4dc6-94a5-76153a481915": { + "min_stack_version": "8.3", + "rule_name": "Delayed Execution via Ping", + "sha256": "dea7cf4add6220cd27ddb9f1a641b95436204b87ca0fca1c18dc903d50ce57a4", + "type": "eql", + "version": 1 + }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", @@ -6363,16 +7549,32 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "ff2526e88d22d00ba16eca2c07ec3bec5e06c7785739a7ab842edd79c975943f", + "sha256": "5b07769d45f5a33fcbe539609647986809d75daea1b8aa5874d0ae7f0e6a8892", "type": "eql", - "version": 4 + "version": 5 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02", + "sha256": "10ee903471646d3de3429f99b45cf5e5d7fadc3fda75e3d87f0d1f495d30f511", "type": "threshold", - "version": 105 + "version": 207 + }, + "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "min_stack_version": "8.3", + "rule_name": "Potentially Suspicious Process Started via tmux or screen", + "sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc", + "type": "eql", + "version": 1 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -6389,32 +7591,57 @@ "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Created", + "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Created", - "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "sha256": "4081dda0ac65323a45109124e0222f68584e912ecdc216ad1e2f5b8f9f431afc", "type": "query", - "version": 103 + "version": 205 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Cluster Creation", - "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32", "type": "query", - "version": 103 + "version": 205 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", - "sha256": "812d614780faf4725c6f1f5361fd6e47e40c2ea93429a55d3e577c3517074577", + "sha256": "ecd74e5b4a0d9320b567ccff15b0551b10812d52a6a99e120eb4e09dc3c70a70", "type": "eql", - "version": 104 + "version": 105 + }, + "e1db8899-97c1-4851-8993-3a3265353601": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", + "sha256": "1ce0e6ef09a67c9f0018cebdedc41c09e0f2d980c0892d2c58f1e17af536bd70", + "type": "machine_learning", + "version": 1 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "d5d199aba7de4375e54e1a420264755c1e6c6e2326dabf9ca76f2cd5285ebe46", + "sha256": "c283a96f0e6778b4047079842cb8724e31caef3444301c6475256a53b012ee57", "type": "eql", - "version": 3 + "version": 4 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", @@ -6426,16 +7653,25 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "619ca917a538026a7832ad49ce85327632de2c6218731727c03f1492ef67e712", + "sha256": "8c840abd0eed39efbf4517ceb247d5a1e29c14df891f7fc68b9c8ca19af732fa", "type": "query", - "version": 108 + "version": 109 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Management Console Root Login", + "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Management Console Root Login", - "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6", "type": "query", - "version": 106 + "version": 208 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", @@ -6454,9 +7690,9 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "b8ef093aa90790193389f0a3b2eb27568f9516fec3932bce89da7213cabf2393", + "sha256": "f4aa9648ae148430d56ec66b1b05383eff95f446f9d746fa618a5fd5d74b932d", "type": "eql", - "version": 106 + "version": 108 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -6473,11 +7709,20 @@ "version": 107 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41", "type": "query", - "version": 103 + "version": 205 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", @@ -6496,16 +7741,25 @@ "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "1b8c0a0d497da1a7aa237cea422221680d66e067bd3cb56754342e2426b8456e", + "sha256": "47990704fcf218a068f07339d376b36fe1ff72c831754b08f0dffed5768cc04d", "type": "eql", - "version": 105 + "version": 107 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", + "sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6", "type": "query", - "version": 104 + "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.3", @@ -6517,9 +7771,9 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "f58e148fb90ab12de044fc7afa0a2778b71ecd8643082310872048c0960b54d4", + "sha256": "ff07330e7b280ebe26aff63e3c933ca68bc9e57095f06822a1ce1a766f8aa2d4", "type": "query", - "version": 107 + "version": 108 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", @@ -6546,9 +7800,9 @@ "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", - "sha256": "89a6e5c6d2b9b24839bad3982fe4350838838f91a099081af2d9e17bbd48eb02", + "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", - "version": 103 + "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", @@ -6558,11 +7812,20 @@ "version": 104 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Possible Okta DoS Attack", + "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", + "type": "query", + "version": 105 + } + }, "rule_name": "Possible Okta DoS Attack", - "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", + "sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e", "type": "query", - "version": 103 + "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", @@ -6574,9 +7837,16 @@ "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "c0e04ce1aa8f8652c9593631d1a9692ea6c265ee388e504ccc1d3c225ad62272", + "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", - "version": 103 + "version": 104 + }, + "e707a7be-cc52-41ac-8ab3-d34b38c20005": { + "min_stack_version": "8.3", + "rule_name": "Potential Credential Access via Memory Dump File Creation", + "sha256": "49debe62710e167c237de800f3dd2ce6ad4a3f4a6effd957439d576770b4e7c9", + "type": "eql", + "version": 1 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", @@ -6586,46 +7856,64 @@ "version": 105 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 4 + "version": 105 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "3b88ce7678e0afd9133e4614123484e05b3c652f2ee1b555271860a540e9e01a", + "sha256": "b79eae658a0dc89978d022131f60766565b9d713cf71cfa900e632da05719fe3", "type": "eql", - "version": 1 + "version": 2 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "6b4158b68c196337a5ca798c23c4e99e1f5b63dcc09404ce703310ffa3115658", + "sha256": "9dabc489226c779aadc8aebd27fd06248863464f8c3eb77f8e3e65ea9de31581", "type": "eql", - "version": 4 + "version": 5 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "sha256": "2199bfaa82c73c0e3d8e7c4dd8d7df67b438163716298173157240784ea80fdc", "type": "query", - "version": 103 + "version": 205 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "9d7d295720f93607b0c637e791d1135a828f9a60edfd04a13aea1c2f444cddfb", + "sha256": "2894b45c8036eb38c332ca6f58cdcc5e872a80caa4e846636d051be8a166fcfe", "type": "eql", - "version": 106 + "version": 107 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "07f742804dcc4362c3a6df0146ffd869e3e92a5e39ed19fbc676e1a205762fca", + "sha256": "05e809fb643c5c0b932f08cf325d5b980c1be26c2322a33497bf7931a54612bb", "type": "eql", - "version": 104 + "version": 105 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", @@ -6635,32 +7923,66 @@ "version": 4 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { - "min_stack_version": "8.4", + "min_stack_version": "8.6", + "previous": { + "8.4": { + "max_allowable_version": 102, + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "386862fe4e944388b9eada8008e45520c98413131236b3c1dbdffd72bd7b2db3", + "sha256": "b2bf47b2d754b97d1201f5d927c49421ceb71609ac667f07c240495f839cd6be", "type": "new_terms", - "version": 2 + "version": 103 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08", + "type": "threshold", + "version": 107 + } + }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08", + "sha256": "bb06cc2e64669d793dd0ab51b8f596cf9ed9f9454f861ae51504837bb3552d10", "type": "threshold", - "version": 105 + "version": 207 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 VM Export Failure", - "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd", "type": "query", - "version": 103 + "version": 205 + }, + "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "min_stack_version": "8.9", + "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", + "sha256": "f4946a910d3c5cf165420c1f5768200c1484fdc853e0a53756994d7993255dd4", + "type": "machine_learning", + "version": 1 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "2691fb427b7fddacc7927bc417d5dab77367c0f14203e072f86d3aefe7a62802", + "sha256": "0932a11d1af761dc69c880afac16d9f8543316e5b003ac9c7f31d6a1b903eb5b", "type": "eql", - "version": 107 + "version": 108 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", @@ -6669,6 +7991,13 @@ "type": "eql", "version": 104 }, + "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "8.9", + "rule_name": "Spike in Remote File Transfers", + "sha256": "5a680fcc21fa3a04e8559fed157bb4ad2d12ae704220ebfb794b987dd5e7f9ab", + "type": "machine_learning", + "version": 1 + }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", @@ -6688,12 +8017,28 @@ "type": "query", "version": 100 }, + "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a Parent Process", + "sha256": "e0eb8a5cb723b6d21c3bd60ed9f2fbaa258b957aaf1c3ccb239075cb1bd9e3a2", + "type": "machine_learning", + "version": 1 + }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80", + "type": "threshold", + "version": 108 + } + }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80", + "sha256": "c03ce8fcb77809e7578333b7e52f0fe9d851c9f6687eb1a7d20a33e2b642ed3f", "type": "threshold", - "version": 106 + "version": 208 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", @@ -6719,9 +8064,9 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "a05367ae65e4b39de37332b4894eb8085397b7fbf86eb16ab1899b6d60beac4d", + "sha256": "19a8d98813f7227deaf511c0d633facc03ce98eca134cbf0ad8d95277312d2bd", "type": "query", - "version": 107 + "version": 108 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -6733,9 +8078,9 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "b8f1ac64b7c560cb7647ffb41b0bcbedc7b257a7f316fcbeb491b84b7b09c94c", + "sha256": "039692bcb30d46067fc586c4ebcd04997a968d5c426694130fea5aeb0a48d46b", "type": "query", - "version": 105 + "version": 106 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", @@ -6772,12 +8117,28 @@ "type": "query", "version": 102 }, - "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", + "rule_name": "Executable File with Unusual Extension", + "sha256": "d740eda69b10b688372f488feab1a6e9af2a26122ee1f6af6de7612aa33706e8", + "type": "eql", + "version": 1 + }, + "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc", "type": "query", - "version": 103 + "version": 205 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "min_stack_version": "8.3", @@ -6789,23 +8150,32 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "84fe4ed20d10995793ab80c3edcadea3a2e6590b1c71d8b0f7ae5f3400276e36", + "sha256": "b3773d30c5a81754f182b5e16112b660ce51afc7217b471c07c135c92343561e", "type": "eql", - "version": 106 + "version": 107 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", + "sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c", "type": "query", - "version": 104 + "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "3482abb380dae16ed856b1c92ebf753d98d655730383b3e1e6329221b64d7f96", + "sha256": "2879ba6dedb4672f2a2edf42d9b51a445ad7e87deafca2d3e115c225361d1e52", "type": "eql", - "version": 106 + "version": 107 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", @@ -6844,16 +8214,16 @@ "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", - "sha256": "dfcaee87ab5815bd4120fc20f1cfd41d481913aa1b077dd7e28539febe9bd5d9", + "sha256": "d3b6a041bc5f899f14ba0e350fbb36350e02d5800b1751b2bff3950a02bab9e4", "type": "eql", - "version": 105 + "version": 106 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "421ac0a4b80d62b16f199e6f04b38b5b8c1c8dbed801722495c596321864b0fb", + "sha256": "fa04606235d591a3a18f27ac11497e0b0b3c0db64ac9d3cdae52dac5bebb9ca1", "type": "eql", - "version": 3 + "version": 4 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", @@ -6862,6 +8232,13 @@ "type": "eql", "version": 107 }, + "ef8cc01c-fc49-4954-a175-98569c646740": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", + "sha256": "ae2f3e60d6bf07e3ace4c7be1a9a199dc8b181ae4c472baa2f02f91eb86e6801", + "type": "machine_learning", + "version": 1 + }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", @@ -6877,11 +8254,20 @@ "version": 104 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", + "sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395", "type": "query", - "version": 103 + "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", @@ -6907,9 +8293,9 @@ "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "acc6575e3fa6df0eabd86bf1fa2a16fdcf95a33f0b3c99ef35f473bee3cbea26", + "sha256": "9472c913dfa8869854d45e63066366097bc76d22561deba5f0332c0e764850d5", "type": "eql", - "version": 4 + "version": 5 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "min_stack_version": "8.4", @@ -6935,9 +8321,9 @@ "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "181e254a121f95897919759791f5af14565c11aa4ed7bab144e1e9c27400ac8b", + "sha256": "5b99a39e1fe7e357d865152fc9bddaf95dbcdef3438bbdd9a2de4b9ef6351120", "type": "eql", - "version": 105 + "version": 107 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", @@ -6954,11 +8340,20 @@ "version": 106 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance Creation", + "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance Creation", - "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0", "type": "query", - "version": 103 + "version": 205 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "min_stack_version": "8.4", @@ -6967,12 +8362,19 @@ "type": "eql", "version": 3 }, + "f3403393-1fd9-4686-8f6e-596c58bc00b4": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", + "sha256": "109d0c7e3887d7f898702bb931801365f78166bc37b58aa04f66b0e30101f41b", + "type": "query", + "version": 1 + }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "881b9fd8fe67814ac0e2fd46633b3d14bec837de65f947f3196690da517ec326", + "sha256": "05dfb891d848215da2bda7c42b5229022f92e80d8ee4f97ea007d57196cfd637", "type": "eql", - "version": 107 + "version": 108 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", @@ -6988,19 +8390,26 @@ "type": "threat_match", "version": 3 }, + "f41296b4-9975-44d6-9486-514c6f635b2d": { + "min_stack_version": "8.6", + "rule_name": "Potential curl CVE-2023-38545 Exploitation", + "sha256": "397ef632c840d0922b83d252b5b41db9cbaa48dbded3e4274d7b714ea636231b", + "type": "eql", + "version": 2 + }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "6529bb3e9f2e7ba6334ccf83e73cb084a6d4a6b4754c82131a2b29b573db94fc", + "sha256": "292a400f924bdf495a355385c16ff53e68f9f3339a16f03722da0a67d20439f9", "type": "eql", - "version": 104 + "version": 105 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "58fd8199f7eaa97b77809fbe7b9b19e44632eef4618a3a85d269f4c10fc65dda", + "sha256": "26b40ddcaa37e8f078da5fbfc2a20a67103717af9bed0188b9002a14836ffe5a", "type": "query", - "version": 107 + "version": 108 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -7011,16 +8420,16 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "4a1c0d919c79748efefe5321d5e6652f4806a90a6748a5fbb97472ba5c7b6479", + "sha256": "7c8538ccb98edd565c3e77089791a93f35d6fe22c6f6622b1b5830797dfce87b", "type": "eql", - "version": 2 + "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "9c28b36b93bb14bdf7618dda4125499529113bf5a991135211322b859581d528", + "sha256": "137fe700650e80f99c3e810ffa7887f243a69e3fd36267afd3685955e5b3a7e4", "type": "eql", - "version": 106 + "version": 107 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -7032,15 +8441,29 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "1985348b300faecebbaac140fff23f888d5eac725cc209b01811dc5cc860b8b1", + "sha256": "9d093df26320c45b314e47dc2317d5b84a706d33b570f9b302014671f4b684de", "type": "query", - "version": 1 + "version": 2 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", - "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9", + "sha256": "e1ef94a11c4732f762e8f4e61014834b56c85ac0b9238a537e111d942fb12601", "type": "eql", + "version": 2 + }, + "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "min_stack_version": "8.3", + "rule_name": "Setcap setuid/setgid Capability Set", + "sha256": "05f3189fe09c5f5c72a44871e7af8a36a085d5f5642ee65deed333c490888820", + "type": "eql", + "version": 1 + }, + "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", + "sha256": "d95530ac48c152547acc046bef874063d532e0a9f5f639803e3b525025209f22", + "type": "machine_learning", "version": 1 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { @@ -7060,9 +8483,9 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "0e7d1a785743f7bd0167dacf31665648afe6cc0921d859d611decdcf3ca2bf89", + "sha256": "23aef572b50810af907ee7bd6ef6657623f6592f933f9406a58dda38ccecb9d2", "type": "eql", - "version": 106 + "version": 107 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", @@ -7093,11 +8516,20 @@ "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9", "type": "query", - "version": 106 + "version": 208 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "8.8", @@ -7116,9 +8548,9 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "84af71d36b636e2785c85ee6e6b0dcfc90b6df18c844ba0627a5605b8aa892d5", + "sha256": "0e07c2995af6088f4c7f371ce44780cab7ffe75d215408752857ac720cea0465", "type": "eql", - "version": 104 + "version": 105 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", @@ -7130,9 +8562,9 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "9c50c505cf44d6eec05e8c2cc96a6569c7c14b193943425c21de51abbea9e5ca", + "sha256": "11ff5b48af4c6fe451b2ce1623b1cb2cb5bb35007bef94018597f897219a10af", "type": "eql", - "version": 106 + "version": 107 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", @@ -7163,11 +8595,20 @@ "version": 7 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", + "type": "query", + "version": 105 + } + }, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", + "sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392", "type": "query", - "version": 103 + "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", @@ -7179,16 +8620,16 @@ "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a", + "sha256": "fac6f9cee3f43e0193ffc987c11e25fd31bc52cf43af80e9cfabc8dc453c1812", "type": "eql", - "version": 3 + "version": 4 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "df52af5aacf36ea1a7ad6a44b6238bfd08e8feb288d0bb5d1b604d6f8cd513b2", + "sha256": "91a2395bf7620588ccb74be3c35e5550521b5efb2e5268f5e5f700def971d705", "type": "eql", - "version": 4 + "version": 5 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", @@ -7200,23 +8641,32 @@ "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "84c459fa919be715728e6f1c0a8c4ec19b8480510bb411c3b81bb72ced32586f", + "sha256": "af928c417577e8cc0260d0553a69112ffe4cce0432ff7dd3e11a6bf0e6c446d1", "type": "eql", - "version": 1 + "version": 2 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "6dabae4a91d13a982c01d893b7091d39599ab9bbc1e7e88117adcf8ae0a70a40", + "sha256": "83d55181cc10cf106c86f733adfc8bcd7100be39580cbdaf2784a6237cd2f61b", "type": "eql", - "version": 1 + "version": 102 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", - "sha256": "cca4c8c4fe974be12e9a9717eb82caa9cbb509858bba01b5872ad90988772dce", + "sha256": "43bf761ed99e39883a71417804e95161874113a3d08e64e551fe474bb054586c", "type": "eql", - "version": 105 + "version": 106 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -7225,18 +8675,27 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15", "type": "query", - "version": 103 + "version": 205 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "8975d3c8774ec9437e4cd11148a51508e2c6d7f7d78d7201c4be6cfbaf0004ab", + "sha256": "d82de3a511d6f9d1fdacc568ea1f4f13dcb5c7b1923e37472627edad3bc0e244", "type": "eql", - "version": 105 + "version": 106 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -7259,18 +8718,34 @@ "version": 106 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Svchost spawning Cmd", + "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", + "type": "eql", + "version": 107 + } + }, "rule_name": "Svchost spawning Cmd", - "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", + "sha256": "2cf4b3a4a92c5be889a51b4f1d51c3eab77327b7bf883a2a045d1571d8779e4b", + "type": "new_terms", + "version": 207 + }, + "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { + "min_stack_version": "8.3", + "rule_name": "Image Loaded with Invalid Signature", + "sha256": "cc47fed45ee058e096104f4c1d2e2068a516895cf8a9e85ab1511686b49de1ee", "type": "eql", - "version": 107 + "version": 1 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "62b9374ecd5f2c092b1940f6dd1481f37a42f04bdda1015b7cb512ba22db08ca", + "sha256": "590ac86e1af3b8706e4cb2a69e8fdd314724e77dbb5799e8fb98370ce40c9e58", "type": "eql", - "version": 1 + "version": 2 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", @@ -7282,21 +8757,28 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "a8ea104f14627b5bef865394a5a80d56b351edaa5b4beea10407d3950c42f419", + "sha256": "7e932f33b6e1585cd992ffb8d0c475283c7c7d9e5f8480d9858165a716090f61", "type": "query", - "version": 1 + "version": 2 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "da773bcc4a79e9c08e47654c4abaef1190bd351feb40255c17932f918361f591", + "sha256": "a8eff42378039fb19f5db47284f5c0fc7ac55a01a9ec1c5d9b1a664f91fff887", "type": "eql", - "version": 106 + "version": 107 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "60ec14b09417f0cb76b839ac47aa592120fc5692e363f35cb28840dcb84414be", + "sha256": "f8fb3a902d4649dae09ebfd3622387f97612d9ce93d0c82dc28badc57bf61ae1", + "type": "eql", + "version": 2 + }, + "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { + "min_stack_version": "8.3", + "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", + "sha256": "2d4dac5ee69aa01095329c1850ad5569f1d4d34fe06d5a73ef0f4fb93b1d98b7", "type": "eql", "version": 1 }, @@ -7310,23 +8792,30 @@ "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "93c635e72bde1b37f08db8fbaab71b57c830ec8a6d88f9d868cad5cae1d4c602", + "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", - "version": 102 + "version": 103 + }, + "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "min_stack_version": "8.9", + "rule_name": "Potential DGA Activity", + "sha256": "83e50c945d95a5c87970b0f27356a28d98589040cb7698c584b7b41c832a8c24", + "type": "machine_learning", + "version": 1 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "3f05ca34ca031232a58c6bdd28c52d7ebc9751646383323594d0514a33322443", + "sha256": "b1a94af889b3bd5f19d461f40cf67ebb70a8c9c19383c1c6b821e829e49477e8", "type": "new_terms", - "version": 4 + "version": 5 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "89aab4dd5ac4c53bd4096c632d79151c726d6991f64ad42938fde25eed6a3c8b", + "sha256": "592b792af644dd525e7bb61b8ba69a59219b797775997301b8ca62e5e71e03bd", "type": "eql", - "version": 3 + "version": 4 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", @@ -7345,8 +8834,8 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "16c98c01aec6efd485063babc9daf4aef11f4c6de3c2834b877688f6326a8cb6", + "sha256": "7f5618048d9c9a947da0f5e7789a02590652382297e9fc2355be088f7eb8a2bf", "type": "eql", - "version": 2 + "version": 3 } } \ No newline at end of file diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 16f6999a2..3c5ae4859 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -23,6 +23,7 @@ from . import ecs from .beats import flatten_ecs_schema from .misc import load_current_package_version from .utils import cached, get_etc_path, read_gzip, unzip +from .schemas import definitions MANIFEST_FILE_PATH = Path(get_etc_path('integration-manifests.json.gz')) SCHEMA_FILE_PATH = Path(get_etc_path('integration-schemas.json.gz')) @@ -47,12 +48,13 @@ class IntegrationManifestSchema(Schema): description = fields.Str(required=True) download = fields.Str(required=True) conditions = fields.Dict(required=True) - policy_templates = fields.List(fields.Dict, required=True) + policy_templates = fields.List(fields.Dict) owner = fields.Dict(required=False) @post_load def transform_policy_template(self, data, **kwargs): - data["policy_templates"] = [policy["name"] for policy in data["policy_templates"]] + if "policy_templates" in data: + data["policy_templates"] = [policy["name"] for policy in data["policy_templates"]] return data @@ -93,21 +95,30 @@ def build_integrations_manifest(overwrite: bool, rule_integrations: list = [], i print(f"final integrations manifests dumped: {MANIFEST_FILE_PATH}") -def build_integrations_schemas(overwrite: bool) -> None: +def build_integrations_schemas(overwrite: bool, integration: str = None) -> None: """Builds a new local copy of integration-schemas.json.gz from EPR integrations.""" - final_integration_schemas = {} saved_integration_schemas = {} # Check if the file already exists and handle accordingly if overwrite and SCHEMA_FILE_PATH.exists(): SCHEMA_FILE_PATH.unlink() + final_integration_schemas = {} elif SCHEMA_FILE_PATH.exists(): - saved_integration_schemas = load_integrations_schemas() + final_integration_schemas = load_integrations_schemas() + else: + final_integration_schemas = {} # Load the integration manifests integration_manifests = load_integrations_manifests() + # if a single integration is specified, only process that integration + if integration: + if integration in integration_manifests: + integration_manifests = {integration: integration_manifests[integration]} + else: + raise ValueError(f"Integration {integration} not found in manifest.") + # Loop through the packages and versions for package, versions in integration_manifests.items(): print(f"processing {package}") @@ -127,12 +138,12 @@ def build_integrations_schemas(overwrite: bool) -> None: # Open the zip file with unzip(response.content) as zip_ref: for file in zip_ref.namelist(): + file_data_bytes = zip_ref.read(file) # Check if the file is a match if glob.fnmatch.fnmatch(file, '*/fields/*.yml'): integration_name = Path(file).parent.parent.name final_integration_schemas[package][version].setdefault(integration_name, {}) - file_data = zip_ref.read(file) - schema_fields = yaml.safe_load(file_data) + schema_fields = yaml.safe_load(file_data_bytes) # Parse the schema and add to the integration_manifests data = flatten_ecs_schema(schema_fields) @@ -140,7 +151,14 @@ def build_integrations_schemas(overwrite: bool) -> None: final_integration_schemas[package][version][integration_name].update(flat_data) - del file_data + # add machine learning jobs to the schema + if integration in list(map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)): + if glob.fnmatch.fnmatch(file, '*/ml_module/*ml.json'): + ml_module = json.loads(file_data_bytes) + job_ids = [job['id'] for job in ml_module['attributes']['jobs']] + final_integration_schemas[package][version]['jobs'] = job_ids + + del file_data_bytes # Write the final integration schemas to disk with gzip.open(SCHEMA_FILE_PATH, "w") as schema_file: @@ -317,7 +335,9 @@ def get_integration_schema_data(data, meta, package_integrations: dict) -> Gener if integration is None: # Use all fields from each dataset for dataset in integrations_schemas[package][package_version]: - schema.update(integrations_schemas[package][package_version][dataset]) + # ignore jobs from machine learning packages + if dataset != "jobs": + schema.update(integrations_schemas[package][package_version][dataset]) else: if integration not in integrations_schemas[package][package_version]: raise ValueError(f"Integration {integration} not found in package {package} " diff --git a/detection_rules/main.py b/detection_rules/main.py index 84e197ba6..40f46270d 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -11,14 +11,17 @@ import os import re import time from datetime import datetime + +import pytoml from marshmallow_dataclass import class_schema from pathlib import Path from semver import Version -from typing import Dict, List, Optional +from typing import Dict, Iterable, List, Optional from uuid import uuid4 import click +from .attack import build_threat_map_entry from .cli_utils import rule_prompt, multi_collection from .mappings import build_coverage_map, get_triggered_rules, print_converage_summary from .misc import add_client, client_error, nested_set, parse_config, load_current_package_version @@ -93,7 +96,7 @@ def generate_rules_index(ctx: click.Context, query, overwrite, save_files=True): @click.argument('input-file', type=click.Path(dir_okay=False, exists=True), nargs=-1, required=False) @click.option('--directory', '-d', type=click.Path(file_okay=False, exists=True), help='Load files from a directory') def import_rules(input_file, directory): - """Import rules from json, toml, or Kibana exported rule file(s).""" + """Import rules from json, toml, yaml, or Kibana exported rule file(s).""" rule_files = glob.glob(os.path.join(directory, '**', '*.*'), recursive=True) if directory else [] rule_files = sorted(set(rule_files + list(input_file))) @@ -385,6 +388,19 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, return filtered +@root.command('build-threat-map-entry') +@click.argument('tactic') +@click.argument('technique-ids', nargs=-1) +def build_threat_map(tactic: str, technique_ids: Iterable[str]): + """Build a threat map entry.""" + entry = build_threat_map_entry(tactic, *technique_ids) + rendered = pytoml.dumps({'rule': {'threat': [entry]}}) + # strip out [rule] + cleaned = '\n'.join(rendered.splitlines()[2:]) + print(cleaned) + return entry + + @root.command("test") @click.pass_context def test_rules(ctx): diff --git a/detection_rules/misc.py b/detection_rules/misc.py index bb0de6938..e940f9203 100644 --- a/detection_rules/misc.py +++ b/detection_rules/misc.py @@ -115,7 +115,7 @@ def nest_from_dot(dots, value): return nested -def schema_prompt(name, value=None, required=False, **options): +def schema_prompt(name, value=None, is_required=False, **options): """Interactively prompt based on schema requirements.""" name = str(name) field_type = options.get('type') @@ -136,7 +136,7 @@ def schema_prompt(name, value=None, required=False, **options): if name == 'rule_id': default = str(uuid.uuid4()) - if len(enum) == 1 and required and field_type != "array": + if len(enum) == 1 and is_required and field_type != "array": return enum[0] def _check_type(_val): @@ -168,7 +168,7 @@ def schema_prompt(name, value=None, required=False, **options): prompt = '{name}{default}{required}{multi}'.format( name=name, default=' [{}] ("n/a" to leave blank) '.format(default) if default else '', - required=' (required) ' if required else '', + required=' (required) ' if is_required else '', multi=' (multi, comma separated) ' if field_type == 'array' else '').strip() + ': ' while True: @@ -177,7 +177,7 @@ def schema_prompt(name, value=None, required=False, **options): result = None if not result: - if required: + if is_required: value = None continue else: @@ -187,7 +187,7 @@ def schema_prompt(name, value=None, required=False, **options): result_list = result.split(',') if not (min_item < len(result_list) < max_items): - if required: + if is_required: value = None break else: @@ -195,19 +195,19 @@ def schema_prompt(name, value=None, required=False, **options): for value in result_list: if not _check_type(value): - if required: + if is_required: value = None break else: return [] - if required and value is None: + if is_required and value is None: continue else: return [_convert_type(r) for r in result_list] else: if _check_type(result): return _convert_type(result) - elif required: + elif is_required: value = None continue return diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index 4423c63a2..6251c68b1 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -14,6 +14,7 @@ import textwrap from collections import defaultdict from pathlib import Path from typing import Dict, Optional, Tuple +from semver import Version import click import yaml @@ -377,9 +378,15 @@ class Package(object): def _generate_registry_package(self, save_dir): """Generate the artifact for the oob package-storage.""" - from .schemas.registry_package import RegistryPackageManifest + from .schemas.registry_package import (RegistryPackageManifestV1, + RegistryPackageManifestV3) - manifest = RegistryPackageManifest.from_dict(self.registry_data) + # 8.12.0+ we use elastic package v3 + stack_version = Version.parse(self.name, optional_minor_and_patch=True) + if stack_version >= Version.parse('8.12.0'): + manifest = RegistryPackageManifestV3.from_dict(self.registry_data) + else: + manifest = RegistryPackageManifestV1.from_dict(self.registry_data) package_dir = Path(save_dir) / 'fleet' / manifest.version docs_dir = package_dir / 'docs' diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 61cbf9a20..f02254934 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -229,7 +229,8 @@ class AlertSuppressionMapping(MarshmallowDataclassMixin, StackCompatMixin): value: int group_by: List[definitions.NonEmptyStr] - duration: Optional[AlertSuppressionDuration] = field(metadata=dict(metadata=dict(min_compat="8.7"))) + duration: Optional[AlertSuppressionDuration] + missing_fields_strategy: definitions.AlertSuppressionMissing @dataclass(frozen=True) @@ -247,7 +248,6 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): integration: Optional[definitions.NonEmptyStr] actions: Optional[list] - alert_suppression: Optional[AlertSuppressionMapping] = field(metadata=dict(metadata=dict(min_compat="8.6"))) author: List[str] building_block_type: Optional[definitions.BuildingBlockType] description: str @@ -273,7 +273,7 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): risk_score_mapping: Optional[List[RiskScoreMapping]] rule_id: definitions.UUIDString rule_name_override: Optional[str] - setup: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.3"))) + setup: Optional[definitions.Markdown] = field(metadata=dict(metadata=dict(min_compat="8.3"))) severity_mapping: Optional[List[SeverityMapping]] severity: definitions.Severity tags: Optional[List[str]] @@ -561,6 +561,7 @@ class QueryRuleData(BaseRuleData): index: Optional[List[str]] query: str language: definitions.FilterLanguages + alert_suppression: Optional[AlertSuppressionMapping] = field(metadata=dict(metadata=dict(min_compat="8.8"))) @cached_property def validator(self) -> Optional[QueryValidator]: @@ -592,6 +593,14 @@ class QueryRuleData(BaseRuleData): if validator is not None: return validator.get_required_fields(index or []) + @validates_schema + def validate_exceptions(self, data, **kwargs): + """Custom validation for query rule type and subclasses.""" + + # alert suppression is only valid for query rule type and not any of its subclasses + if data.get('alert_suppression') and data['type'] != 'query': + raise ValidationError("Alert suppression is only valid for query rule type.") + @dataclass(frozen=True) class MachineLearningRuleData(BaseRuleData): @@ -638,52 +647,6 @@ class NewTermsRuleData(QueryRuleData): type: Literal["new_terms"] new_terms: NewTermsMapping - def validate(self, meta: RuleMeta) -> None: - """Validates terms in new_terms_fields are valid ECS schema.""" - - kql_validator = KQLValidator(self.query) - kql_validator.validate(self, meta) - feature_min_stack = Version.parse('8.4.0') - feature_min_stack_extended_fields = Version.parse('8.6.0') - current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) - - # validate history window start field exists and is correct - assert self.new_terms.history_window_start, \ - "new terms field found with no history_window_start field defined" - assert self.new_terms.history_window_start[0].field == "history_window_start", \ - f"{self.new_terms.history_window_start} should be 'history_window_start'" - - # validate new terms and history window start fields is correct - assert self.new_terms.field == "new_terms_fields", \ - f"{self.new_terms.field} should be 'new_terms_fields' for new_terms rule type" - - # ecs validation - min_stack_version = Version.parse(meta.get("min_stack_version")) if meta.get("min_stack_version") else None - min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \ - current_package_version else min_stack_version - - assert min_stack_version >= feature_min_stack, \ - f"New Terms rule types only compatible with {feature_min_stack}+" - ecs_version = get_stack_schemas()[str(min_stack_version)]['ecs'] - beats_version = get_stack_schemas()[str(min_stack_version)]['beats'] - - # checks if new terms field(s) are in ecs, beats or non-ecs schemas - _, _, schema = kql_validator.get_beats_schema(self.index or [], beats_version, ecs_version) - - for new_terms_field in self.new_terms.value: - assert new_terms_field in schema.keys(), \ - f"{new_terms_field} not found in ECS, Beats, or non-ecs schemas" - - # validates length of new_terms to stack version - https://github.com/elastic/kibana/issues/142862 - if min_stack_version >= feature_min_stack and \ - min_stack_version < feature_min_stack_extended_fields: - assert len(self.new_terms.value) == 1, \ - f"new terms have a max limit of 1 for stack versions below {feature_min_stack_extended_fields}" - - # validate fields are unique - assert len(set(self.new_terms.value)) == len(self.new_terms.value), \ - f"new terms fields values are not unique - {self.new_terms.value}" - def transform(self, obj: dict) -> dict: """Transforms new terms data to API format for Kibana.""" @@ -1024,8 +987,10 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): # if integration is not a policy template remove if package["version"]: - policy_templates = packages_manifest[ - package["package"]][package["version"].strip("^")]["policy_templates"] + version_data = packages_manifest.get(package["package"], + {}).get(package["version"].strip("^"), {}) + policy_templates = version_data.get("policy_templates", []) + if package["integration"] not in policy_templates: del package["integration"] @@ -1125,14 +1090,18 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): elif isinstance(node, FieldComparison) and str(node.field) == 'event.dataset': datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value))) - if not datasets: - # windows and endpoint integration do not have event.dataset fields in queries - # integration is None to remove duplicate references upstream in Kibana - rule_integrations = meta.get("integration", []) - if rule_integrations: - for integration in rule_integrations: - if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData): - packaged_integrations.append({"package": integration, "integration": None}) + # integration is None to remove duplicate references upstream in Kibana + # chronologically, event.dataset is checked for package:integration, then rule tags + # if both exist, rule tags are only used if defined in definitions for non-dataset packages + # of machine learning analytic packages + + rule_integrations = meta.get("integration", []) + if rule_integrations: + for integration in rule_integrations: + ineligible_integrations = definitions.NON_DATASET_PACKAGES + \ + [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)] + if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData): + packaged_integrations.append({"package": integration, "integration": None}) for value in sorted(datasets): integration = 'Unknown' diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 05fdefcc4..6ac9afc80 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -262,6 +262,12 @@ def migrate_to_8_10(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.11") +def migrate_to_8_11(version: Version, api_contents: dict) -> dict: + """Default migration for 8.11.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index cb842b5e1..e4bf09efd 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -28,6 +28,7 @@ VERSION_PATTERN = f'^{_version}$' MINOR_SEMVER = r'^\d+\.\d+$' BRANCH_PATTERN = f'{VERSION_PATTERN}|^master$' ELASTICSEARCH_EQL_FEATURES = { + "allow_negation": (Version.parse('8.9.0'), None), "allow_runs": (Version.parse('7.16.0'), None), "allow_sample": (Version.parse('8.6.0'), None), "elasticsearch_validate_optional_fields": (Version.parse('7.16.0'), None) @@ -43,7 +44,6 @@ TACTIC_URL = r'^https://attack.mitre.org/tactics/TA[0-9]+/$' TECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/$' SUBTECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$' MACHINE_LEARNING = 'machine_learning' -SAVED_QUERY = 'saved_query' QUERY = 'query' QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"] @@ -90,6 +90,7 @@ EXPECTED_RULE_TAGS = [ 'OS: Linux', 'OS: macOS', 'OS: Windows', + 'Rule Type: BBR', 'Resources: Investigation Guide', 'Rule Type: Higher-Order Rule', 'Rule Type: Machine Learning', @@ -125,7 +126,10 @@ EXPECTED_RULE_TAGS = [ 'Use Case: Vulnerability' ] +MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing'] +AlertSuppressionMissing = NewType('AlertSuppressionMissing', str, + validate=validate.OneOf(['suppress', 'doNotSuppress'])) NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) TimeUnits = Literal['s', 'm', 'h'] BranchVer = NewType('BranchVer', str, validate=validate.Regexp(BRANCH_PATTERN)) @@ -144,7 +148,7 @@ OSType = Literal['windows', 'linux', 'macos'] PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1)) RiskScore = NewType("MaxSignals", int, validate=validate.Range(min=1, max=100)) RuleName = NewType('RuleName', str, validate=validate.Regexp(NAME_PATTERN)) -RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql', 'threshold', 'threat_match', 'new_terms'] +RuleType = Literal['query', 'machine_learning', 'eql', 'threshold', 'threat_match', 'new_terms'] SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) SemVerMinorOnly = NewType('SemVerFullStrict', str, validate=validate.Regexp(MINOR_SEMVER)) Severity = Literal['low', 'medium', 'high', 'critical'] @@ -159,5 +163,6 @@ UUIDString = NewType('UUIDString', str, validate=validate.Regexp(UUID_PATTERN)) BuildingBlockType = Literal['default'] # experimental machine learning features and releases -MachineLearningType = Literal['DGA', 'ProblemChild'] -MachineLearningTypeLower = Literal['dga', 'problemchild'] +MachineLearningType = getattr(Literal, '__getitem__')(tuple(MACHINE_LEARNING_PACKAGES)) # noqa: E999 +MachineLearningTypeLower = getattr(Literal, '__getitem__')( + tuple(map(str.lower, MACHINE_LEARNING_PACKAGES))) # noqa: E999 diff --git a/detection_rules/schemas/registry_package.py b/detection_rules/schemas/registry_package.py index b94cf13c8..7c1719c40 100644 --- a/detection_rules/schemas/registry_package.py +++ b/detection_rules/schemas/registry_package.py @@ -5,7 +5,7 @@ """Definitions for packages destined for the registry.""" -from dataclasses import dataclass +from dataclasses import dataclass, field from typing import Dict, List, Optional from .definitions import ConditionSemVer, SemVer @@ -13,22 +13,54 @@ from ..mixins import MarshmallowDataclassMixin @dataclass -class RegistryPackageManifest(MarshmallowDataclassMixin): +class ConditionElastic: + subscription: str + + +@dataclass +class Condition: + kibana_version: str = field(metadata={"data_key": "kibana.version"}) + elastic: ConditionElastic + + +@dataclass +class Icon: + size: str + src: str + type: str + + +@dataclass +class RegistryPackageManifestBase(MarshmallowDataclassMixin): """Base class for registry packages.""" categories: List[str] - conditions: Dict[str, ConditionSemVer] description: str format_version: SemVer - icons: list - license: str + icons: List[Icon] name: str owner: Dict[str, str] - release: str title: str type: str version: SemVer - internal: Optional[bool] = None - policy_templates: Optional[list] = None - screenshots: Optional[list] = None + internal: Optional[bool] + policy_templates: Optional[List[str]] + screenshots: Optional[List[str]] + + +@dataclass +class RegistryPackageManifestV1(RegistryPackageManifestBase): + """Registry packages using elastic-package v1.""" + + conditions: Dict[str, ConditionSemVer] + license: str + release: str + + +@dataclass +class RegistryPackageManifestV3(RegistryPackageManifestBase): + """Registry packages using elastic-package v3.""" + + conditions: Condition + source: Dict[str, str] diff --git a/detection_rules/utils.py b/detection_rules/utils.py index b7ef0bf44..265742c52 100644 --- a/detection_rules/utils.py +++ b/detection_rules/utils.py @@ -326,8 +326,10 @@ def load_rule_contents(rule_file: Path, single_only=False) -> list: return contents or [{}] elif extension == '.toml': rule = pytoml.loads(raw_text) + elif extension.lower() in ('yaml', 'yml'): + rule = load_dump(str(rule_file)) else: - rule = load_dump(rule_file) + return [] if isinstance(rule, dict): return [rule] diff --git a/kql/evaluator.py b/kql/evaluator.py index 0a7eaa181..643381c4f 100644 --- a/kql/evaluator.py +++ b/kql/evaluator.py @@ -10,7 +10,7 @@ import eql.ast from eql import Walker, EqlCompileError, utils from eql.functions import CidrMatch from .errors import KqlRuntimeError, KqlCompileError - +from .parser import is_ipaddress class FilterGenerator(Walker): __cidr_cache = {} @@ -20,8 +20,9 @@ class FilterGenerator(Walker): @classmethod def equals(cls, term, value): + """Check if a term is equal to a value.""" if utils.is_string(term) and utils.is_string(value): - if CidrMatch.ip_compiled.match(term) and CidrMatch.cidr_compiled.match(value): + if is_ipaddress(term) and eql.utils.is_cidr_pattern(value): # check for an ipv4 cidr if value not in cls.__cidr_cache: cls.__cidr_cache[value] = CidrMatch.get_callback(None, eql.ast.String(value)) diff --git a/kql/parser.py b/kql/parser.py index b92863f73..e3017f2fc 100644 --- a/kql/parser.py +++ b/kql/parser.py @@ -40,6 +40,15 @@ with open(grammar_file, "rt") as f: lark_parser = Lark(grammar, propagate_positions=True, tree_class=KvTree, start=['query'], parser='lalr') +def is_ipaddress(value: str) -> bool: + """Check if a value is an ip address.""" + try: + eql.utils.get_ipaddress(value) + return True + except ValueError: + return False + + def wildcard2regex(wc: str) -> re.Pattern: parts = wc.split("*") return re.compile("^{regex}$".format(regex=".*?".join(re.escape(w) for w in parts))) @@ -85,8 +94,6 @@ def elasticsearch_type_family(mapping_type: str) -> str: class BaseKqlParser(Interpreter): NON_SPACE_WS = re.compile(r"[^\S ]+") - ip_regex = re.compile("^" + eql.functions.CidrMatch.ip_re + "(/([0-2]?[0-9]|3[0-2]))?$") - unquoted_escapes = {"\\t": "\t", "\\r": "\r", "\\n": "\n"} for special in "\\():<>\"*{}]": @@ -223,7 +230,7 @@ class BaseKqlParser(Interpreter): except ValueError: pass elif field_type_family == "ip" and value_type == "keyword": - if "::" in python_value or self.ip_regex.match(python_value) is not None: + if "::" in python_value or is_ipaddress(python_value) or eql.utils.is_cidr_pattern(python_value): return python_value elif field_type_family == 'date' and value_type in STRING_FIELDS: # this will not validate datemath syntax diff --git a/pyproject.toml b/pyproject.toml index e565763da..8a5ad2dfe 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -24,22 +24,23 @@ classifiers = [ dependencies = [ "Click~=8.1.0", "elasticsearch~=8.1", - "eql==0.9.18", + "eql==0.9.19", "jsl==0.2.4", "jsonschema==3.2.0", - "marko", + "marko==2.0.1", "marshmallow-dataclass[union]~=8.5.12", "marshmallow-jsonschema~=0.12.0", "marshmallow-union~=0.1.15", "marshmallow~=3.13.0", "pywin32 ; platform_system=='Windows'", - "pytoml", + "pytoml==0.1.21", "PyYAML~=5.3 ; python_version<='3.9'", "PyYAML~=6.0.1 ; python_version>='3.10'", "requests~=2.27", "toml==0.10.0", "typing-inspect==0.8.0", - "typing-extensions==4.5.0", + "typing-extensions==4.5.0 ; python_version<='3.11'", + "typing-extensions==4.8.0 ; python_version>='3.12'", "XlsxWriter~=1.3.6", "semver==3.0.0-dev.4" ] diff --git a/rta/adobe_hijack.py b/rta/adobe_hijack.py index 3499f58f8..e143d5022 100644 --- a/rta/adobe_hijack.py +++ b/rta/adobe_hijack.py @@ -9,10 +9,9 @@ # Description: Replaces PE file that will run on Adobe Reader start. import os +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="2df08481-31db-44a8-b01d-1c0df827bddb", @@ -23,22 +22,22 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - rdr_cef_dir = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" - rdrcef_exe = os.path.join(rdr_cef_dir, "RdrCEF.exe") + rdr_cef_dir = Path("C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF") + rdrcef_exe = rdr_cef_dir / "RdrCEF.exe" cmd_path = "C:\\Windows\\System32\\cmd.exe" - backup = os.path.abspath("xxxxxx") + backup = Path("xxxxxx").resolve() backedup = False # backup original if it exists - if os.path.isfile(rdrcef_exe): + if rdrcef_exe.is_file(): common.log("{} already exists, backing up file.".format(rdrcef_exe)) common.copy_file(rdrcef_exe, backup) backedup = True else: common.log("{} doesn't exist. Creating path.".format(rdrcef_exe)) - os.makedirs(rdr_cef_dir) + rdr_cef_dir.mkdir(parents=True) # overwrite original common.copy_file(cmd_path, rdrcef_exe) @@ -47,10 +46,10 @@ def main(): if backedup: common.log("Putting back backup copy.") common.copy_file(backup, rdrcef_exe) - os.remove(backup) + backup.unlink() else: common.remove_file(rdrcef_exe) - os.removedirs(rdr_cef_dir) + rdr_cef_dir.rmdir() if __name__ == "__main__": diff --git a/rta/adobe_priv_helper_tool.py b/rta/adobe_priv_helper_tool.py index 5de11a21a..4cf0b65e2 100644 --- a/rta/adobe_priv_helper_tool.py +++ b/rta/adobe_priv_helper_tool.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/com.adobe.ARMDC.SMJobBlessHelper" diff --git a/rta/app_bundler_execution.py b/rta/app_bundler_execution.py index 7f58655c6..ef583372a 100644 --- a/rta/app_bundler_execution.py +++ b/rta/app_bundler_execution.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/app_hijack.py b/rta/app_hijack.py index 5bb950a7e..880f0829a 100644 --- a/rta/app_hijack.py +++ b/rta/app_hijack.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): app_dir = Path("/Applications/test/Contents/") diff --git a/rta/appcompat_shim.py b/rta/appcompat_shim.py index 2173bef06..dd9e98071 100644 --- a/rta/appcompat_shim.py +++ b/rta/appcompat_shim.py @@ -28,7 +28,7 @@ metadata = RtaMetadata( SHIM_FILE = common.get_path("bin", "CVE-2013-3893.sdb") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SHIM_FILE) def main(): common.log("Application Compatibility Shims") diff --git a/rta/at_command.py b/rta/at_command.py index ef94cea95..a2111918b 100644 --- a/rta/at_command.py +++ b/rta/at_command.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(target_host=None): target_host = target_host or common.get_ip() host_str = "\\\\%s" % target_host diff --git a/rta/at_job.py b/rta/at_job.py index 79a89c135..d4b2b5d1e 100644 --- a/rta/at_job.py +++ b/rta/at_job.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file creation on /private/var/at/jobs/test.") diff --git a/rta/atom_init_coffee.py b/rta/atom_init_coffee.py index 59809c164..193844a45 100644 --- a/rta/atom_init_coffee.py +++ b/rta/atom_init_coffee.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): atom_dir = Path.home().joinpath(".atom") diff --git a/rta/auth_plugin.py b/rta/auth_plugin.py index 8007b6735..79e5d0db4 100644 --- a/rta/auth_plugin.py +++ b/rta/auth_plugin.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.plist to mimic authorization plugin modification") diff --git a/rta/automator_workflows.py b/rta/automator_workflows.py index d5f8d7405..917555dcc 100644 --- a/rta/automator_workflows.py +++ b/rta/automator_workflows.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/background_process_from_tmp.py b/rta/background_process_from_tmp.py index faaa317a3..86061a350 100644 --- a/rta/background_process_from_tmp.py +++ b/rta/background_process_from_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sh" diff --git a/rta/bash_cmdline_history.py b/rta/bash_cmdline_history.py index 52a6450da..9c392dc13 100644 --- a/rta/bash_cmdline_history.py +++ b/rta/bash_cmdline_history.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/history" diff --git a/rta/bifrost_attack.py b/rta/bifrost_attack.py index 9d3affeee..ab72abf1d 100644 --- a/rta/bifrost_attack.py +++ b/rta/bifrost_attack.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bifrost" diff --git a/rta/binary_masquerade.py b/rta/binary_masquerade.py index cc596ad66..5366b3d84 100644 --- a/rta/binary_masquerade.py +++ b/rta/binary_masquerade.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/bitsadmin_download.py b/rta/bitsadmin_download.py index 38e8bd7fb..d7a2c44cd 100644 --- a/rta/bitsadmin_download.py +++ b/rta/bitsadmin_download.py @@ -9,12 +9,10 @@ # Description: Runs BitsAdmin to download file via command line. -import os import subprocess +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="aee48793-01ec-428f-9890-c5db9df07830", @@ -25,13 +23,13 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Running Windows BitsAdmin to Download") server, ip, port = common.serve_web() url = "http://" + ip + ":" + str(port) + "/bin/myapp.exe" - dest_path = os.path.abspath("myapp-test.exe") - fake_word = os.path.abspath("winword.exe") + dest_path = Path("myapp-test.exe").resolve() + fake_word = Path("winword.exe").resolve() common.log("Emulating parent process: {parent}".format(parent=fake_word)) common.copy_file("C:\\Windows\\System32\\cmd.exe", fake_word) diff --git a/rta/bitsadmin_execution.py b/rta/bitsadmin_execution.py index 667cfcd97..6b8c4cecd 100644 --- a/rta/bitsadmin_execution.py +++ b/rta/bitsadmin_execution.py @@ -24,7 +24,7 @@ ROOT_DIR = Path(__file__).parent EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fake_word = ROOT_DIR / "winword.exe" diff --git a/rta/browser_cred_access.py b/rta/browser_cred_access.py index 062f81885..9b788f5c6 100644 --- a/rta/browser_cred_access.py +++ b/rta/browser_cred_access.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/browser_debugging.py b/rta/browser_debugging.py index 07ac4434e..661599e4e 100644 --- a/rta/browser_debugging.py +++ b/rta/browser_debugging.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): param1 = "--remote-debugging-port=9222" param2 = "--user-data-dir=remote-profile" diff --git a/rta/brute_force_login.py b/rta/brute_force_login.py index 67a7e7082..4a9c12c04 100644 --- a/rta/brute_force_login.py +++ b/rta/brute_force_login.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(username="rta-tester", remote_host=None): if not remote_host: common.log("A remote host is required to detonate this RTA", "!") diff --git a/rta/builtin_cmd_file_delete.py b/rta/builtin_cmd_file_delete.py index 2e041469e..e4f1547f6 100644 --- a/rta/builtin_cmd_file_delete.py +++ b/rta/builtin_cmd_file_delete.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/xargs" diff --git a/rta/c2_dns_from_iso.py b/rta/c2_dns_from_iso.py index 38de43412..859374202 100644 --- a/rta/c2_dns_from_iso.py +++ b/rta/c2_dns_from_iso.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="ba802fb2-f183-420e-947m-da5ce0235d123", @@ -24,10 +24,10 @@ PROC = 'ping.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(ISO) and os.path.exists(PS_SCRIPT): + if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): print(f'[+] - ISO File {ISO} will be mounted and executed via powershell') # 3 unique domains to trigger 3 unique rules looking for dns events via a process running from a mounted ISO file diff --git a/rta/calendar_file_mod.py b/rta/calendar_file_mod.py index a83edb533..1d9fab45f 100644 --- a/rta/calendar_file_mod.py +++ b/rta/calendar_file_mod.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cal_dir = Path(f"{Path.home()}/Library/Calendars/") diff --git a/rta/certutil_file_obfuscation.py b/rta/certutil_file_obfuscation.py index 706473488..0ee9e984a 100644 --- a/rta/certutil_file_obfuscation.py +++ b/rta/certutil_file_obfuscation.py @@ -9,11 +9,9 @@ # signal.rule.name: Encoding or Decoding Files via CertUtil # Description: Uses certutil to create an encoded copy of cmd.exe. Then uses certutil to decode that copy. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="7b2c1b3e-2097-4e2f-bf5c-e157a91b8001", @@ -24,11 +22,11 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Encoding target") - encoded_file = os.path.abspath("encoded.txt") - decoded_file = os.path.abspath("decoded.exe") + encoded_file = Path("encoded.txt").resolve() + decoded_file = Path("decoded.exe").resolve() common.execute( [ "c:\\Windows\\System32\\certutil.exe", diff --git a/rta/certutil_webrequest.py b/rta/certutil_webrequest.py index 80712857e..014ac0c1f 100644 --- a/rta/certutil_webrequest.py +++ b/rta/certutil_webrequest.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( MY_DLL = common.get_path("bin", "mydll.dll") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_DLL) def main(): # http server will terminate on main thread exit diff --git a/rta/child_w3wp.py b/rta/child_w3wp.py index 8e948fefb..3a14b38df 100644 --- a/rta/child_w3wp.py +++ b/rta/child_w3wp.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): w3wp = "C:\\Users\\Public\\w3wp.exe" common.copy_file(EXE_FILE, w3wp) diff --git a/rta/clr_logs_creation.py b/rta/clr_logs_creation.py index c216b25a4..a3affe36d 100644 --- a/rta/clr_logs_creation.py +++ b/rta/clr_logs_creation.py @@ -3,10 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="9bf3622b-dd76-4156-a89c-6845dca46b1f", @@ -25,14 +24,14 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msxsl = "C:\\Users\\Public\\msxsl.exe" fake_clr_path = "C:\\Users\\Administrator\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" fake_clr_logs = fake_clr_path + "\\msxsl.exe.log" common.copy_file(EXE_FILE, msxsl) - os.makedirs(fake_clr_path, exist_ok=True) + Path(fake_clr_path).mkdir(parents=True, exist_ok=True) common.log("Creating a fake clr log file") common.execute([msxsl, "-c", f"echo RTA > {fake_clr_logs}"], timeout=10) common.remove_files(msxsl, fake_clr_logs) diff --git a/rta/cmd_shell_via_word.py b/rta/cmd_shell_via_word.py index 75a596dcc..daf68634e 100644 --- a/rta/cmd_shell_via_word.py +++ b/rta/cmd_shell_via_word.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/cmstp_image_load.py b/rta/cmstp_image_load.py index 92209a3ca..509a7112e 100644 --- a/rta/cmstp_image_load.py +++ b/rta/cmstp_image_load.py @@ -24,7 +24,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmstp = "C:\\Users\\Public\\cmstp.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/common.py b/rta/common.py index fc1458257..47858425a 100644 --- a/rta/common.py +++ b/rta/common.py @@ -127,7 +127,7 @@ else: CMD_PATH = "/bin/sh" POWERSHELL_PATH = None -BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +BASE_DIR = Path(__file__).resolve().parent ALL_IP = "0.0.0.0" IP_REGEX = r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" CALLBACK_REGEX = r"https?://" + IP_REGEX + r":\d+" @@ -176,6 +176,7 @@ def requires_os(*os_list: str): @functools.wraps(f) def decorated(*args, **kwargs): if CURRENT_OS not in os_list: + # NOTE os.path.relpath supports Path objects and does not exist in pathlib filename = os.path.relpath(inspect.getsourcefile(f)) func_name = f.__name__ @@ -191,7 +192,7 @@ def requires_os(*os_list: str): def check_dependencies(*paths: str) -> bool: missing = [] for path in paths: - if not os.path.exists(path): + if not Path(path).exists(): log("Missing dependency %s" % path, "!") missing.append(path) return len(missing) == 0 @@ -200,7 +201,7 @@ def check_dependencies(*paths: str) -> bool: def dependencies(*paths: str): missing = [] for path in paths: - if not os.path.exists(path): + if not Path(path).exists(): missing.append(path) def decorator(f): @@ -209,6 +210,7 @@ def dependencies(*paths: str): if len(missing): log("Missing dependencies for %s:%s()" % (f.func_code.co_filename, f.func_code.co_name), "!") for dep in missing: + # NOTE os.path.relpath supports Path objects and does not exist in pathlib print(" - %s" % os.path.relpath(dep, BASE_DIR)) return MISSING_DEPENDENCIES return f(*args, **kwargs) @@ -237,8 +239,8 @@ def temporary_file(contents, file_name=None): def temporary_file_helper(contents, file_name=None): - if not (file_name and os.path.isabs(file_name)): - file_name = os.path.join(tempfile.gettempdir(), file_name or f"temp{hash(contents):d}") + if not (file_name and Path(file_name).is_absolute()): + file_name = Path(tempfile.gettempdir()) / file_name or f"temp{hash(contents):d}" with open(file_name, "wb" if isinstance(contents, bytes) else "w") as f: f.write(contents) @@ -373,14 +375,13 @@ def link_file(source, target): log("Linking %s -> %s" % (source, target)) execute(["ln", "-s", source, target]) - -def remove_file(path): - if os.path.exists(path): +def remove_file(path: str): + if Path(path).is_file(): log("Removing %s" % path, log_type="-") # Try three times to remove the file for _ in range(3): try: - os.remove(path) + Path(path).unlink() except OSError: time.sleep(0.25) else: @@ -388,12 +389,11 @@ def remove_file(path): def remove_directory(path): - if os.path.exists(path): - if os.path.isdir(path): - log(f"Removing directory {path:s}", log_type="-") - shutil.rmtree(path) - else: - remove_file(path) + if Path(path).is_dir(): + log(f"Removing directory {path:s}", log_type="-") + shutil.rmtree(path) + else: + remove_file(path) def is_64bit(): @@ -534,9 +534,9 @@ def get_ipv4_address(hostname): def find_writeable_directory(base_dir): for root, dirs, files in os.walk(base_dir): for d in dirs: - subdir = os.path.join(base_dir, d) + subdir = Path(base_dir) / d try: - test_file = os.path.join(subdir, "test_file") + test_file = Path(subdir) / "test_file" f = open(test_file, "w") f.close() os.remove(test_file) @@ -557,10 +557,11 @@ def run_system(arguments=None): return None if arguments is None: + # NOTE os.path.relpath supports Path objects and does not exist in pathlib arguments = [sys.executable, os.path.abspath(sys.argv[0])] + sys.argv[1:] log("Attempting to elevate to SYSTEM using PsExec") - if not os.path.exists(PS_EXEC): + if not Path(PS_EXEC).is_file(): log("PsExec not found", log_type="-") return MISSING_PSEXEC @@ -717,7 +718,7 @@ def enable_logon_auditing(host="localhost", verbose=True, sleep=2): def print_file(path): print(path) - if not os.path.exists(path): + if not Path(path).is_file(): print("--- NOT FOUND ----") else: print("-" * 16) diff --git a/rta/comsvcs_dump.py b/rta/comsvcs_dump.py index 42c29a04c..2d0ea6f53 100644 --- a/rta/comsvcs_dump.py +++ b/rta/comsvcs_dump.py @@ -34,7 +34,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Memory Dump via Comsvcs") pid = os.getpid() diff --git a/rta/crashdump_disabled.py b/rta/crashdump_disabled.py index 720562152..409d28db0 100644 --- a/rta/crashdump_disabled.py +++ b/rta/crashdump_disabled.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily disabling CrashDump...") diff --git a/rta/credaccess_reg_query_privesc_token_manip.py b/rta/credaccess_reg_query_privesc_token_manip.py index db8b4ce7d..2764211b7 100644 --- a/rta/credaccess_reg_query_privesc_token_manip.py +++ b/rta/credaccess_reg_query_privesc_token_manip.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( techniques=["T1134", "T1003"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import ctypes from ctypes import byref, windll, wintypes diff --git a/rta/credaccess_sam_from_vss.py b/rta/credaccess_sam_from_vss.py index 9697cab4b..e4f277656 100644 --- a/rta/credaccess_sam_from_vss.py +++ b/rta/credaccess_sam_from_vss.py @@ -32,7 +32,7 @@ def vss_create(): results = wmi.ExecMethod_("Create", createparams) return results.Properties_[1].value -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import win32file vss_list = get_vss_list() diff --git a/rta/credential_access_dump_hashes_via_cmd.py b/rta/credential_access_dump_hashes_via_cmd.py index 307515a5c..47be1e5ac 100644 --- a/rta/credential_access_dump_hashes_via_cmd.py +++ b/rta/credential_access_dump_hashes_via_cmd.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing defaults commands to dump hashes.") diff --git a/rta/credential_access_known_utilities.py b/rta/credential_access_known_utilities.py index abbf8d59b..3b466ffcb 100644 --- a/rta/credential_access_known_utilities.py +++ b/rta/credential_access_known_utilities.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "ProcessDump.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/credential_access_osascript_phishing.py b/rta/credential_access_osascript_phishing.py index 64e223b5e..a4fac6674 100644 --- a/rta/credential_access_osascript_phishing.py +++ b/rta/credential_access_osascript_phishing.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/credman_discovery.py b/rta/credman_discovery.py index 50eb18037..e49ba1ea8 100644 --- a/rta/credman_discovery.py +++ b/rta/credman_discovery.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appdata = os.getenv("LOCALAPPDATA") credmanfile = f"{appdata}\\Microsoft\\Credentials\\a.txt" diff --git a/rta/cron_tab_file_create.py b/rta/cron_tab_file_create.py index 4bb81bf38..0c984e927 100644 --- a/rta/cron_tab_file_create.py +++ b/rta/cron_tab_file_create.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file creation on /private/var/at/tabs/test.") diff --git a/rta/cscript_suspicious_args.py b/rta/cscript_suspicious_args.py index 73f01c368..376d843a2 100644 --- a/rta/cscript_suspicious_args.py +++ b/rta/cscript_suspicious_args.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/curl_data_exfil.py b/rta/curl_data_exfil.py index 0e3062f20..6f59d33ad 100644 --- a/rta/curl_data_exfil.py +++ b/rta/curl_data_exfil.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/curl_payload_download.py b/rta/curl_payload_download.py index b6c56d2d9..3b75a41b9 100644 --- a/rta/curl_payload_download.py +++ b/rta/curl_payload_download.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/testfile" diff --git a/rta/curl_sus_payload.py b/rta/curl_sus_payload.py index 76616f860..55e93672b 100644 --- a/rta/curl_sus_payload.py +++ b/rta/curl_sus_payload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/darkradiation.py b/rta/darkradiation.py index 54cda4da7..3cd28ffdf 100644 --- a/rta/darkradiation.py +++ b/rta/darkradiation.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/xargs" diff --git a/rta/dcom_lateral_movement_with_mmc.py b/rta/dcom_lateral_movement_with_mmc.py index cb54ac95d..910659e60 100644 --- a/rta/dcom_lateral_movement_with_mmc.py +++ b/rta/dcom_lateral_movement_with_mmc.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(remote_host=None): remote_host = remote_host or common.get_ip() common.log("DCOM Lateral Movement with MMC") diff --git a/rta/ddns_lolbas.py b/rta/ddns_lolbas.py index af9a1cb43..ec37fcaa0 100644 --- a/rta/ddns_lolbas.py +++ b/rta/ddns_lolbas.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/ddns_unsigned.py b/rta/ddns_unsigned.py index bff4ad7ab..39cc9e387 100644 --- a/rta/ddns_unsigned.py +++ b/rta/ddns_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/defensive_evasion_reflective_loading.py b/rta/defensive_evasion_reflective_loading.py index a907afbe3..f7a28aced 100644 --- a/rta/defensive_evasion_reflective_loading.py +++ b/rta/defensive_evasion_reflective_loading.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /private/tmp/NSCreateObjectFileImageFromMemory-test file.") diff --git a/rta/defensive_evasion_safari_modification.py b/rta/defensive_evasion_safari_modification.py index 11af1258b..7ca1530e3 100644 --- a/rta/defensive_evasion_safari_modification.py +++ b/rta/defensive_evasion_safari_modification.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/delete_bootconf.py b/rta/delete_bootconf.py index e3d86d4fe..d4972b420 100644 --- a/rta/delete_bootconf.py +++ b/rta/delete_bootconf.py @@ -10,11 +10,9 @@ # Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot # configuration, finally restoring the original. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="eaf71384-2e38-4970-b170-9645ccde1d2b", @@ -25,12 +23,12 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Messing with the boot configuration is probably not a great idea so create a backup: common.log("Exporting the boot configuration....") bcdedit = "bcdedit.exe" - backup_file = os.path.abspath("boot.cfg") + backup_file = Path("boot.cfg").resolve() common.execute(["bcdedit.exe", "/export", backup_file]) # WARNING: this is a destructive command which might be super bad to run diff --git a/rta/delete_catalogs.py b/rta/delete_catalogs.py index 24aa819dd..266ceec9f 100644 --- a/rta/delete_catalogs.py +++ b/rta/delete_catalogs.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): warning = "Deleting the backup catalog may have unexpected consequences. Operational issues are unknown." common.log("WARNING: %s" % warning, log_type="!") diff --git a/rta/delete_quarantine_attrib.py b/rta/delete_quarantine_attrib.py index 5e352b337..407d40083 100644 --- a/rta/delete_quarantine_attrib.py +++ b/rta/delete_quarantine_attrib.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/delete_usnjrnl.py b/rta/delete_usnjrnl.py index 9f08963a1..7506bb695 100644 --- a/rta/delete_usnjrnl.py +++ b/rta/delete_usnjrnl.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): message = "Deleting the USN journal may have unintended consequences" common.log("WARNING: %s" % message, log_type="!") diff --git a/rta/delete_volume_shadows.py b/rta/delete_volume_shadows.py index fef2ae862..66d57b32e 100644 --- a/rta/delete_volume_shadows.py +++ b/rta/delete_volume_shadows.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Deleting volume shadow copies...") common.execute(["vssadmin.exe", "delete", "shadows", "/for=c:", "/oldest", "/quiet"]) diff --git a/rta/deprecated/_discovery_builtin_cmd.py b/rta/deprecated/_discovery_builtin_cmd.py index 86b859d2c..33eef0abb 100644 --- a/rta/deprecated/_discovery_builtin_cmd.py +++ b/rta/deprecated/_discovery_builtin_cmd.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/deprecated/_funzip_extract_content.py b/rta/deprecated/_funzip_extract_content.py index db576ce2c..ebfe8099d 100644 --- a/rta/deprecated/_funzip_extract_content.py +++ b/rta/deprecated/_funzip_extract_content.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/deprecated/_linux_discovery_sensitive_files.py b/rta/deprecated/_linux_discovery_sensitive_files.py index 6fa99840e..60ce89377 100644 --- a/rta/deprecated/_linux_discovery_sensitive_files.py +++ b/rta/deprecated/_linux_discovery_sensitive_files.py @@ -14,7 +14,7 @@ from . import RtaMetadata metadata = RtaMetadata(uuid="82358d3d-6f04-42d0-a182-db37cf98294e", platforms=["linux"], endpoint=[], siem=[], techniques=[]) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Reading sensitive files", log_type="~") diff --git a/rta/deprecated/_persistence_code_extension.py b/rta/deprecated/_persistence_code_extension.py index 53f860775..ca591cd57 100644 --- a/rta/deprecated/_persistence_code_extension.py +++ b/rta/deprecated/_persistence_code_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/code" diff --git a/rta/deprecated/_persistence_reopened_app.py b/rta/deprecated/_persistence_reopened_app.py index 0c146873f..3bbe09893 100644 --- a/rta/deprecated/_persistence_reopened_app.py +++ b/rta/deprecated/_persistence_reopened_app.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/deprecated/_persistence_terminal_plist_mod.py b/rta/deprecated/_persistence_terminal_plist_mod.py index 3141d85b2..a5527f336 100644 --- a/rta/deprecated/_persistence_terminal_plist_mod.py +++ b/rta/deprecated/_persistence_terminal_plist_mod.py @@ -36,7 +36,7 @@ plist_content = """ """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing plutil commands to modify plist file.") diff --git a/rta/directory_service_plugin_file.py b/rta/directory_service_plugin_file.py index 5152f13c7..6c7fbff44 100644 --- a/rta/directory_service_plugin_file.py +++ b/rta/directory_service_plugin_file.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.dsplug to mimic DirectoryService plugin modification") diff --git a/rta/disable_os_security_updates.py b/rta/disable_os_security_updates.py index d5f316d01..2932eeba4 100644 --- a/rta/disable_os_security_updates.py +++ b/rta/disable_os_security_updates.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/disable_windows_fw.py b/rta/disable_windows_fw.py index ceb612b6d..15bff40d8 100644 --- a/rta/disable_windows_fw.py +++ b/rta/disable_windows_fw.py @@ -9,11 +9,9 @@ # signal.rule.name: Disable Windows Firewall Rules via Netsh # Description: Uses netsh.exe to backup, disable and restore firewall rules. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="75e14e5a-1188-47ea-9b96-2cf6e9443fc2", @@ -24,12 +22,12 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("NetSH Advanced Firewall Configuration", log_type="~") netsh = "netsh.exe" - rules_file = os.path.abspath("fw.rules") + rules_file = Path("fw.rules").resolve() # Check to be sure that fw.rules does not already exist from previously running this script common.remove_file(rules_file) diff --git a/rta/discovery_virtual_machine_grep.py b/rta/discovery_virtual_machine_grep.py index 86f7cce49..d32936031 100644 --- a/rta/discovery_virtual_machine_grep.py +++ b/rta/discovery_virtual_machine_grep.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing egrep commands to fingerprint virtual machine.") diff --git a/rta/dmg_create_in_tmp.py b/rta/dmg_create_in_tmp.py index 52c0552ac..345818ee0 100644 --- a/rta/dmg_create_in_tmp.py +++ b/rta/dmg_create_in_tmp.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): tmp_dir = Path("/tmp/TestDMGDir") diff --git a/rta/dock_plist.py b/rta/dock_plist.py index 7695da37e..f6a9b9563 100644 --- a/rta/dock_plist.py +++ b/rta/dock_plist.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on com.apple.dock.plist to mimic dock plist modification") diff --git a/rta/double_persist.py b/rta/double_persist.py index 236898088..65165ee82 100644 --- a/rta/double_persist.py +++ b/rta/double_persist.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "DoublePersist.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "DoublePersist.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/dscl_hidden_account.py b/rta/dscl_hidden_account.py index 1c06e02be..3ee3fea3a 100644 --- a/rta/dscl_hidden_account.py +++ b/rta/dscl_hidden_account.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dscl" diff --git a/rta/dseditgroup_admin_add.py b/rta/dseditgroup_admin_add.py index bd8278216..a0e579801 100644 --- a/rta/dseditgroup_admin_add.py +++ b/rta/dseditgroup_admin_add.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dseditgroup" diff --git a/rta/dsenableroot_account.py b/rta/dsenableroot_account.py index 576142b33..271194686 100644 --- a/rta/dsenableroot_account.py +++ b/rta/dsenableroot_account.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/dsenableroot" diff --git a/rta/dylib_injection.py b/rta/dylib_injection.py index 5b6bab71c..b384f9a58 100644 --- a/rta/dylib_injection.py +++ b/rta/dylib_injection.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/dynwrapx_image_load.py b/rta/dynwrapx_image_load.py index 17c8aa373..ddde48ff0 100644 --- a/rta/dynwrapx_image_load.py +++ b/rta/dynwrapx_image_load.py @@ -29,7 +29,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/echo_tmp_file_create.py b/rta/echo_tmp_file_create.py index b1cf5902e..d6d80ec62 100644 --- a/rta/echo_tmp_file_create.py +++ b/rta/echo_tmp_file_create.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): file_path = "/tmp/test" diff --git a/rta/edmond_child_process.py b/rta/edmond_child_process.py index 0d8eec9ba..fe373c4e5 100644 --- a/rta/edmond_child_process.py +++ b/rta/edmond_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/emond" diff --git a/rta/eggshell_backdoor.py b/rta/eggshell_backdoor.py index 316713975..9576f85bc 100644 --- a/rta/eggshell_backdoor.py +++ b/rta/eggshell_backdoor.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/eggshell" diff --git a/rta/eicar.py b/rta/eicar.py index 6be6f738b..6e3cd0fda 100644 --- a/rta/eicar.py +++ b/rta/eicar.py @@ -15,7 +15,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/elevated_osascript_execution.py b/rta/elevated_osascript_execution.py index 2b5933e52..ccc998ef9 100644 --- a/rta/elevated_osascript_execution.py +++ b/rta/elevated_osascript_execution.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/emond_child_process.py b/rta/emond_child_process.py index e14a7b246..bfd89efb5 100644 --- a/rta/emond_child_process.py +++ b/rta/emond_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/emond_plist.py b/rta/emond_plist.py index 25c692c02..349bd34b8 100644 --- a/rta/emond_plist.py +++ b/rta/emond_plist.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on test.plist to mimic emond file modification") diff --git a/rta/empire_stager.py b/rta/empire_stager.py index 81d4ff257..be0743519 100644 --- a/rta/empire_stager.py +++ b/rta/empire_stager.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/enum_commands.py b/rta/enum_commands.py index 31be7d360..809534cc8 100644 --- a/rta/enum_commands.py +++ b/rta/enum_commands.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(args=None): slow_commands = ["gpresult.exe /z", "systeminfo.exe"] diff --git a/rta/enumeration_linpeas.py b/rta/enumeration_linpeas.py index 059bee14d..684e2e1f5 100644 --- a/rta/enumeration_linpeas.py +++ b/rta/enumeration_linpeas.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sed" diff --git a/rta/env_variable_hijacking.py b/rta/env_variable_hijacking.py index f2663cc22..f8ae76092 100644 --- a/rta/env_variable_hijacking.py +++ b/rta/env_variable_hijacking.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/evasion_addinproc_certoc_odbc_gfxdwn.py b/rta/evasion_addinproc_certoc_odbc_gfxdwn.py index 0432e3fe0..fc885368e 100644 --- a/rta/evasion_addinproc_certoc_odbc_gfxdwn.py +++ b/rta/evasion_addinproc_certoc_odbc_gfxdwn.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): addinproc = "C:\\Users\\Public\\AddInProcess.exe" certoc = "C:\\Users\\Public\\CertOc.exe" diff --git a/rta/evasion_loadlib_via_callback.py b/rta/evasion_loadlib_via_callback.py index 9e0f98345..c4be1ac25 100644 --- a/rta/evasion_loadlib_via_callback.py +++ b/rta/evasion_loadlib_via_callback.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="ae4b2807-3a16-485e-bb69-5d36bbe9b7d1", @@ -19,10 +19,10 @@ metadata = RtaMetadata( # source code - https://gist.github.com/joe-desimone/0b2bb00eca4c522ba0bd5541a6f3528b BIN = common.get_path("bin", "LoadLib-Callback64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(BIN) : + if Path(BIN).is_file(): print(f'[+] - File {BIN} will be executed') common.execute(BIN) # cleanup diff --git a/rta/evasion_ntdll_from_unusual_path.py b/rta/evasion_ntdll_from_unusual_path.py index f1c54dae3..23a7de872 100644 --- a/rta/evasion_ntdll_from_unusual_path.py +++ b/rta/evasion_ntdll_from_unusual_path.py @@ -4,9 +4,9 @@ # 2.0. -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="e6d5315f-4c70-4788-8564-e7c23786a4d0", @@ -18,12 +18,15 @@ metadata = RtaMetadata( -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - import win32file, win32api, os, time + import time from os import path + + import win32api + import win32file win32file.CopyFile(path.expandvars("%systemroot%\\system32\\ntdll.dll"), path.expandvars("%localappdata%\\Temp\\notntdll.dll"), 0) - if os.path.exists(path.expandvars("%localappdata%\\Temp\\notntdll.dll")): + if Path(path.expandvars("%localappdata%\\Temp\\notntdll.dll")).is_file(): print(f"[+] - NTDLL copied") r = win32api.LoadLibrary(path.expandvars("%localappdata%\\Temp\\notntdll.dll")) if r > 0 : diff --git a/rta/evasion_oversized_dll_load.py b/rta/evasion_oversized_dll_load.py index a09192410..23bfaf7e4 100644 --- a/rta/evasion_oversized_dll_load.py +++ b/rta/evasion_oversized_dll_load.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="ec52377c-b2a8-4c44-8eb4-465376f2189a", @@ -28,18 +28,20 @@ DLL = common.get_path("bin", "faultrep.dll") WER = "c:\\windows\\system32\\werfault.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - import os, win32file + import os from os import path - if os.path.exists(DLL) : + + import win32file + if Path(DLL).is_file(): tempc = path.expandvars("%localappdata%\\Temp\\oversized.dll") rta_dll = path.expandvars("%localappdata%\\Temp\\faultrep.dll") rta_pe = path.expandvars("%localappdata%\\Temp\\wer.exe") # copy files to temp win32file.CopyFile(DLL,tempc, 0) win32file.CopyFile(WER, rta_pe, 0) - if os.path.exists(tempc): + if Path(tempc).is_file(): print(f"[+] - {DLL} copied to {tempc}") print(f"[+] - File {tempc} will be appended with null bytes to reach 90MB in size.") # append null bytes to makde the DLL oversized 90+MB in size @@ -49,7 +51,7 @@ def main(): # copied via cmd to trigger the rule - python is signed and won't trigger the file mod part of the rule common.execute(["cmd.exe", "/c", "copy", tempc, rta_dll]) - if os.path.exists(rta_dll) and os.path.exists(rta_pe): + if Path(rta_dll).is_file() and Path(rta_pe).is_file(): # should trigger rundll32 rules common.execute(["rundll32.exe", rta_dll, "DllMain"]) # should trigger dll sideload from current dir diff --git a/rta/evasion_patch_etw_amsi.py b/rta/evasion_patch_etw_amsi.py index e7b96959b..3b64b4dc1 100644 --- a/rta/evasion_patch_etw_amsi.py +++ b/rta/evasion_patch_etw_amsi.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): import ctypes, platform from ctypes import windll, wintypes diff --git a/rta/evasion_unhook_ldrloaddll.py b/rta/evasion_unhook_ldrloaddll.py index decbaf052..73e77bfac 100644 --- a/rta/evasion_unhook_ldrloaddll.py +++ b/rta/evasion_unhook_ldrloaddll.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="7fcf2f31-b510-45f8-9de4-7dc8f5ecb68b", @@ -21,10 +21,10 @@ metadata = RtaMetadata( # source code -https://gist.github.com/Samirbous/cee44dbd0254c28d4f57709d5c723aee BIN = common.get_path("bin", "rta_unhook_ldrload.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(BIN) : + if Path(BIN).is_file(): print(f'[+] - File {BIN} will be executed') common.execute(BIN) # cleanup diff --git a/rta/exec_cmd_adfind.py b/rta/exec_cmd_adfind.py index 0a0e3e637..edf3a227e 100644 --- a/rta/exec_cmd_adfind.py +++ b/rta/exec_cmd_adfind.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): adfind = "C:\\Users\\Public\\adfind.exe" common.copy_file(EXE_FILE, adfind) diff --git a/rta/exec_cmd_appcmd_logging.py b/rta/exec_cmd_appcmd_logging.py index 65bf28334..c130416de 100644 --- a/rta/exec_cmd_appcmd_logging.py +++ b/rta/exec_cmd_appcmd_logging.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appcmd = "C:\\Users\\Public\\appcmd.exe" common.copy_file(EXE_FILE, appcmd) diff --git a/rta/exec_cmd_arp.py b/rta/exec_cmd_arp.py index 0cbee9bd4..9c0cf5001 100644 --- a/rta/exec_cmd_arp.py +++ b/rta/exec_cmd_arp.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/exec_cmd_aspnet_regiis.py b/rta/exec_cmd_aspnet_regiis.py index 5e0ce2f3e..e527dd218 100644 --- a/rta/exec_cmd_aspnet_regiis.py +++ b/rta/exec_cmd_aspnet_regiis.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): aspnet_regiis = "C:\\Users\\Public\\aspnet_regiis.exe" common.copy_file(EXE_FILE, aspnet_regiis) diff --git a/rta/exec_cmd_attrib_hidden.py b/rta/exec_cmd_attrib_hidden.py index e2294f4f5..56461d09d 100644 --- a/rta/exec_cmd_attrib_hidden.py +++ b/rta/exec_cmd_attrib_hidden.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): attrib = "C:\\Users\\Public\\attrib.exe" common.copy_file(EXE_FILE, attrib) diff --git a/rta/exec_cmd_auditpol.py b/rta/exec_cmd_auditpol.py index 29f71425c..c7ec086df 100644 --- a/rta/exec_cmd_auditpol.py +++ b/rta/exec_cmd_auditpol.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): auditpol = "C:\\Users\\Public\\auditpol.exe" common.copy_file(EXE_FILE, auditpol) diff --git a/rta/exec_cmd_clear_history.py b/rta/exec_cmd_clear_history.py index 1ab2d5b81..3db358367 100644 --- a/rta/exec_cmd_clear_history.py +++ b/rta/exec_cmd_clear_history.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_compiled_html.py b/rta/exec_cmd_compiled_html.py index 192ca5ad7..2964589b4 100644 --- a/rta/exec_cmd_compiled_html.py +++ b/rta/exec_cmd_compiled_html.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): hh = "C:\\Users\\Public\\hh.exe" mshta = "C:\\Windows\\System32\\mshta.exe" diff --git a/rta/exec_cmd_endpoint_security_masquerading.py b/rta/exec_cmd_endpoint_security_masquerading.py index 49326746c..586006bf2 100644 --- a/rta/exec_cmd_endpoint_security_masquerading.py +++ b/rta/exec_cmd_endpoint_security_masquerading.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): esensor = "C:\\Users\\Public\\esensor.exe" common.copy_file(EXE_FILE, esensor) diff --git a/rta/exec_cmd_fltmc_unload.py b/rta/exec_cmd_fltmc_unload.py index 56069e36e..68bdae44e 100644 --- a/rta/exec_cmd_fltmc_unload.py +++ b/rta/exec_cmd_fltmc_unload.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fltmc = "C:\\Users\\Public\\fltmc.exe" common.copy_file(EXE_FILE, fltmc) diff --git a/rta/exec_cmd_fsutil_fsinfo.py b/rta/exec_cmd_fsutil_fsinfo.py index b7ccd111a..d63934494 100644 --- a/rta/exec_cmd_fsutil_fsinfo.py +++ b/rta/exec_cmd_fsutil_fsinfo.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): fsutil = "C:\\Windows\\System32\\fsutil.exe" diff --git a/rta/exec_cmd_hidden_share.py b/rta/exec_cmd_hidden_share.py index a5a4ae60c..f3ac01b33 100644 --- a/rta/exec_cmd_hidden_share.py +++ b/rta/exec_cmd_hidden_share.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): xcopy = "C:\\Users\\Public\\xcopy.exe" common.copy_file(EXE_FILE, xcopy) diff --git a/rta/exec_cmd_mklink.py b/rta/exec_cmd_mklink.py index aa09a77b3..849db50b6 100644 --- a/rta/exec_cmd_mklink.py +++ b/rta/exec_cmd_mklink.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_mpcmdrun_download.py b/rta/exec_cmd_mpcmdrun_download.py index 688595156..377278e7d 100644 --- a/rta/exec_cmd_mpcmdrun_download.py +++ b/rta/exec_cmd_mpcmdrun_download.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mpcmdrun = "C:\\Users\\Public\\MpCmdRun.exe" common.copy_file(EXE_FILE, mpcmdrun) diff --git a/rta/exec_cmd_msdt.py b/rta/exec_cmd_msdt.py index 96e92fd3e..c75f68bec 100644 --- a/rta/exec_cmd_msdt.py +++ b/rta/exec_cmd_msdt.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msdt = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_mssql_xp_cmdshell.py b/rta/exec_cmd_mssql_xp_cmdshell.py index ab503819a..a6fb54414 100644 --- a/rta/exec_cmd_mssql_xp_cmdshell.py +++ b/rta/exec_cmd_mssql_xp_cmdshell.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sqlservr = "C:\\Users\\Public\\sqlservr.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_net_stop.py b/rta/exec_cmd_net_stop.py index fbf042f4f..a2dd815c7 100644 --- a/rta/exec_cmd_net_stop.py +++ b/rta/exec_cmd_net_stop.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): net = "C:\\Users\\Public\\net.exe" common.copy_file(EXE_FILE, net) diff --git a/rta/exec_cmd_net_use.py b/rta/exec_cmd_net_use.py index 410e16218..de5412d08 100644 --- a/rta/exec_cmd_net_use.py +++ b/rta/exec_cmd_net_use.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): net = "C:\\Users\\Public\\net.exe" common.copy_file(EXE_FILE, net) diff --git a/rta/exec_cmd_netsh_advfirewall_network_discovery.py b/rta/exec_cmd_netsh_advfirewall_network_discovery.py index 428508a9d..1e9c310ae 100644 --- a/rta/exec_cmd_netsh_advfirewall_network_discovery.py +++ b/rta/exec_cmd_netsh_advfirewall_network_discovery.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): netsh = "C:\\Users\\Public\\netsh.exe" common.copy_file(EXE_FILE, netsh) diff --git a/rta/exec_cmd_netsh_remotedesktop.py b/rta/exec_cmd_netsh_remotedesktop.py index 4feed5efd..f71c86884 100644 --- a/rta/exec_cmd_netsh_remotedesktop.py +++ b/rta/exec_cmd_netsh_remotedesktop.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): netsh = "C:\\Users\\Public\\netsh.exe" common.copy_file(EXE_FILE, netsh) diff --git a/rta/exec_cmd_nltest.py b/rta/exec_cmd_nltest.py index 60ddf1be3..73b7b679e 100644 --- a/rta/exec_cmd_nltest.py +++ b/rta/exec_cmd_nltest.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_non_executable_file.py b/rta/exec_cmd_non_executable_file.py index ce8eecd0b..cc5ea269c 100644 --- a/rta/exec_cmd_non_executable_file.py +++ b/rta/exec_cmd_non_executable_file.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing bash on unexecutable file.") diff --git a/rta/exec_cmd_ntdsdit.py b/rta/exec_cmd_ntdsdit.py index 670d7e8df..989ef6740 100644 --- a/rta/exec_cmd_ntdsdit.py +++ b/rta/exec_cmd_ntdsdit.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_posh_mailbox.py b/rta/exec_cmd_posh_mailbox.py index 2e4432f2d..65d96fbbf 100644 --- a/rta/exec_cmd_posh_mailbox.py +++ b/rta/exec_cmd_posh_mailbox.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_psexesvc.py b/rta/exec_cmd_psexesvc.py index c04123aed..839047caa 100644 --- a/rta/exec_cmd_psexesvc.py +++ b/rta/exec_cmd_psexesvc.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): psexesvc = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_pwd_appcmd.py b/rta/exec_cmd_pwd_appcmd.py index 8c839baa1..0e5a62874 100644 --- a/rta/exec_cmd_pwd_appcmd.py +++ b/rta/exec_cmd_pwd_appcmd.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appcmd = "C:\\Users\\Public\\appcmd.exe" common.copy_file(EXE_FILE, appcmd) diff --git a/rta/exec_cmd_rundll32.py b/rta/exec_cmd_rundll32.py index cab4f0809..da7734727 100644 --- a/rta/exec_cmd_rundll32.py +++ b/rta/exec_cmd_rundll32.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_rundll32_davsetcookie.py b/rta/exec_cmd_rundll32_davsetcookie.py index 2f4e7f777..f0dbe28af 100644 --- a/rta/exec_cmd_rundll32_davsetcookie.py +++ b/rta/exec_cmd_rundll32_davsetcookie.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" common.copy_file(EXE_FILE, rundll32) diff --git a/rta/exec_cmd_set_casmailbox.py b/rta/exec_cmd_set_casmailbox.py index 2bb6a021f..21282aa6b 100644 --- a/rta/exec_cmd_set_casmailbox.py +++ b/rta/exec_cmd_set_casmailbox.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" common.execute([powershell, "/c", "echo", "Set-CASMailbox ActiveSyncAllowedDeviceIDs"], timeout=5, kill=True) diff --git a/rta/exec_cmd_set_mppreference.py b/rta/exec_cmd_set_mppreference.py index 365384480..cb74c8dba 100644 --- a/rta/exec_cmd_set_mppreference.py +++ b/rta/exec_cmd_set_mppreference.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_short_name.py b/rta/exec_cmd_short_name.py index 4bc9e79d4..2c6fa9c3d 100644 --- a/rta/exec_cmd_short_name.py +++ b/rta/exec_cmd_short_name.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rta = "C:\\Users\\Public\\a.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cmd_windows_firewall_disabled.py b/rta/exec_cmd_windows_firewall_disabled.py index f71f6da1f..5f0f3cbb9 100644 --- a/rta/exec_cmd_windows_firewall_disabled.py +++ b/rta/exec_cmd_windows_firewall_disabled.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_cmd_wmi_cmdexe.py b/rta/exec_cmd_wmi_cmdexe.py index 55769d179..87edfc170 100644 --- a/rta/exec_cmd_wmi_cmdexe.py +++ b/rta/exec_cmd_wmi_cmdexe.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmiprvse = "C:\\Users\\Public\\wmiprvse.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/exec_cmd_wmi_subscription.py b/rta/exec_cmd_wmi_subscription.py index 01a737558..70532e72e 100644 --- a/rta/exec_cmd_wmi_subscription.py +++ b/rta/exec_cmd_wmi_subscription.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Users\\Public\\wmic.exe" common.copy_file(EXE_FILE, wmic) diff --git a/rta/exec_cmd_wmic_antivirus_enum.py b/rta/exec_cmd_wmic_antivirus_enum.py index 7a8eda2ed..1ceacc3b2 100644 --- a/rta/exec_cmd_wmic_antivirus_enum.py +++ b/rta/exec_cmd_wmic_antivirus_enum.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Windows\\System32\\wbem\\WMIC.exe" diff --git a/rta/exec_cmd_workfolders.py b/rta/exec_cmd_workfolders.py index e8f533917..1ac8cd2c0 100644 --- a/rta/exec_cmd_workfolders.py +++ b/rta/exec_cmd_workfolders.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): workfolders = "C:\\Users\\Public\\WorkFolders.exe" control = "C:\\Users\\Public\\control.exe" diff --git a/rta/exec_cmd_xwizard.py b/rta/exec_cmd_xwizard.py index c80fd53f8..6a769e432 100644 --- a/rta/exec_cmd_xwizard.py +++ b/rta/exec_cmd_xwizard.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): xwizard = "C:\\Users\\Public\\xwizard.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_conhost_indirect.py b/rta/exec_conhost_indirect.py index 22d1cfb70..b2dc7657c 100644 --- a/rta/exec_conhost_indirect.py +++ b/rta/exec_conhost_indirect.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): conhost = "C:\\Users\\Public\\conhost.exe" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/exec_control_panel_cpl.py b/rta/exec_control_panel_cpl.py index c9bd41364..0b261aaa6 100644 --- a/rta/exec_control_panel_cpl.py +++ b/rta/exec_control_panel_cpl.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/exec_cscript_archive_args.py b/rta/exec_cscript_archive_args.py index 3c0e65783..fc412d9fc 100644 --- a/rta/exec_cscript_archive_args.py +++ b/rta/exec_cscript_archive_args.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_cscript_suspicious_powershell.py b/rta/exec_cscript_suspicious_powershell.py index 09fff7242..a1225e131 100644 --- a/rta/exec_cscript_suspicious_powershell.py +++ b/rta/exec_cscript_suspicious_powershell.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" common.copy_file(EXE_FILE, cscript) diff --git a/rta/exec_dll_file_compressed.py b/rta/exec_dll_file_compressed.py index cc8da48fc..56d0fda03 100644 --- a/rta/exec_dll_file_compressed.py +++ b/rta/exec_dll_file_compressed.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="bbad34f5-3542-4484-9b23-5ef05af94c0f", @@ -19,10 +19,10 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\Temp\\7z\\" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = "C:\\Users\\Public\\Temp\\7z\\file.exe" user32 = "C:\\Windows\\System32\\user32.dll" dll = "C:\\Users\\Public\\Temp\\7z\\unsigned.dll" diff --git a/rta/exec_dnguard_program.py b/rta/exec_dnguard_program.py index 1dde467e4..04f691ee3 100644 --- a/rta/exec_dnguard_program.py +++ b/rta/exec_dnguard_program.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/exec_echo_named_pipe.py b/rta/exec_echo_named_pipe.py index 5a67df1bf..80a3a95f8 100644 --- a/rta/exec_echo_named_pipe.py +++ b/rta/exec_echo_named_pipe.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/exec_explorer_trampoline.py b/rta/exec_explorer_trampoline.py index 1916b3419..2d5c8a1af 100644 --- a/rta/exec_explorer_trampoline.py +++ b/rta/exec_explorer_trampoline.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" common.copy_file(EXE_FILE, explorer) diff --git a/rta/exec_from_mount.py b/rta/exec_from_mount.py index a145f9bac..168a95a7f 100644 --- a/rta/exec_from_mount.py +++ b/rta/exec_from_mount.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/Volumes/bash" diff --git a/rta/exec_from_python.py b/rta/exec_from_python.py index 62aef4e42..0c94ec7e4 100644 --- a/rta/exec_from_python.py +++ b/rta/exec_from_python.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # test_file = "/tmp/test.txt" diff --git a/rta/exec_from_terminal.py b/rta/exec_from_terminal.py index e5a5857d5..da185c70e 100644 --- a/rta/exec_from_terminal.py +++ b/rta/exec_from_terminal.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/terminal" diff --git a/rta/exec_gfxdownloadwrapper.py b/rta/exec_gfxdownloadwrapper.py index 7a1b488b1..2f5a8d1bd 100644 --- a/rta/exec_gfxdownloadwrapper.py +++ b/rta/exec_gfxdownloadwrapper.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): gfx = "C:\\Users\\Public\\GfxDownloadWrapper.exe" common.copy_file(EXE_FILE, gfx) diff --git a/rta/exec_ingress_tool_posh.py b/rta/exec_ingress_tool_posh.py index b802aae0d..59b786177 100644 --- a/rta/exec_ingress_tool_posh.py +++ b/rta/exec_ingress_tool_posh.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\powershell.exe" common.copy_file(EXE_FILE, powershell) diff --git a/rta/exec_java_revshell_linux.py b/rta/exec_java_revshell_linux.py index 6afc5de9c..e56b8bfb4 100644 --- a/rta/exec_java_revshell_linux.py +++ b/rta/exec_java_revshell_linux.py @@ -14,7 +14,7 @@ metadata = RtaMetadata( techniques=["T1059", "T1071"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating a fake Java executable..") diff --git a/rta/exec_java_via_scripting.py b/rta/exec_java_via_scripting.py index a53899926..518abee61 100644 --- a/rta/exec_java_via_scripting.py +++ b/rta/exec_java_via_scripting.py @@ -3,9 +3,10 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="a3b26c9e-6910-43f7-93b2-84cc777e54f4", @@ -32,8 +33,8 @@ def main(): cscript = "C:\\Users\\Public\\cscript.exe" executable = path + "Javafake.exe" - if not os.path.exists(path): - os.makedirs(path) + if not Path(path).is_dir(): + Path(path).mkdir(parents=True) else: pass common.copy_file(EXE_FILE, cscript) diff --git a/rta/exec_ms_dotnet_clickonce.py b/rta/exec_ms_dotnet_clickonce.py index 9cd761e0b..db0994975 100644 --- a/rta/exec_ms_dotnet_clickonce.py +++ b/rta/exec_ms_dotnet_clickonce.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" dfsvc = "C:\\Users\\Public\\dfsvc.exe" diff --git a/rta/exec_msdt_diagcab.py b/rta/exec_msdt_diagcab.py index 60ceb1fd8..a2373e32e 100644 --- a/rta/exec_msdt_diagcab.py +++ b/rta/exec_msdt_diagcab.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): firefox = "C:\\Users\\Public\\firefox.exe" msdt = "C:\\Users\\Public\\msdt.exe" diff --git a/rta/exec_msiexec_dllregisterserver.py b/rta/exec_msiexec_dllregisterserver.py index 7f84d5b18..7e2b7ca8f 100644 --- a/rta/exec_msiexec_dllregisterserver.py +++ b/rta/exec_msiexec_dllregisterserver.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Windows\\System32\\msiexec.exe" diff --git a/rta/exec_nohup.py b/rta/exec_nohup.py index 471c31633..a10b90d3e 100644 --- a/rta/exec_nohup.py +++ b/rta/exec_nohup.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): test_file = "/tmp/test.txt" diff --git a/rta/exec_persistence_from_iso.py b/rta/exec_persistence_from_iso.py index 39cbd9500..3871fcb42 100644 --- a/rta/exec_persistence_from_iso.py +++ b/rta/exec_persistence_from_iso.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="a4355bfc-aa15-43f6-a36d-523aa637127b", @@ -23,10 +23,10 @@ PROC = 'cmd.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(ISO) and os.path.exists(PS_SCRIPT): + if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): print(f'[+] - ISO File {ISO} will be mounted and executed via powershell') # commands to trigger two unique rules looking for persistence from a mounted ISO file diff --git a/rta/exec_privhelper_tool.py b/rta/exec_privhelper_tool.py index 9541ae934..234e7345c 100644 --- a/rta/exec_privhelper_tool.py +++ b/rta/exec_privhelper_tool.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): tools = Path("/Library/PrivilegedHelperTools") diff --git a/rta/exec_renamed_msbuild.py b/rta/exec_renamed_msbuild.py index e8d8c6c86..70d06817c 100644 --- a/rta/exec_renamed_msbuild.py +++ b/rta/exec_renamed_msbuild.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_renamed_winword.py b/rta/exec_renamed_winword.py index 814cfa366..030d53476 100644 --- a/rta/exec_renamed_winword.py +++ b/rta/exec_renamed_winword.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_scripting_persistence_locations.py b/rta/exec_scripting_persistence_locations.py index e87bae2e5..627a5f381 100644 --- a/rta/exec_scripting_persistence_locations.py +++ b/rta/exec_scripting_persistence_locations.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_scripting_unusual_extension.py b/rta/exec_scripting_unusual_extension.py index 6b1750ae5..3f0c43710 100644 --- a/rta/exec_scripting_unusual_extension.py +++ b/rta/exec_scripting_unusual_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing cscript against .exe") common.execute(["cmd.exe", "/c", "cscript.exe", "/e:Vbscript", "cmd.exe"], timeout=5, kill=True) diff --git a/rta/exec_scripting_via_html_app.py b/rta/exec_scripting_via_html_app.py index ff8d81026..c2597dae5 100644 --- a/rta/exec_scripting_via_html_app.py +++ b/rta/exec_scripting_via_html_app.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute Command # Had a hard time trying to escape the quotes that would be needed to execute a real command using diff --git a/rta/exec_sliver_posh.py b/rta/exec_sliver_posh.py index b8c2ab945..15fec41cf 100644 --- a/rta/exec_sliver_posh.py +++ b/rta/exec_sliver_posh.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/exec_sqlserver_suspicious_child.py b/rta/exec_sqlserver_suspicious_child.py index de4ca3487..3d40a0044 100644 --- a/rta/exec_sqlserver_suspicious_child.py +++ b/rta/exec_sqlserver_suspicious_child.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" sqlserver = "C:\\Users\\Public\\sqlserver.exe" diff --git a/rta/exec_susp_explorer.py b/rta/exec_susp_explorer.py index 8821e3830..2f49a2f02 100644 --- a/rta/exec_susp_explorer.py +++ b/rta/exec_susp_explorer.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Windows\\explorer.exe" common.execute([explorer, "easyminerRTA"], timeout=1, kill=True) diff --git a/rta/exec_susp_msiexec.py b/rta/exec_susp_msiexec.py index 8409a78fd..3ce98e2f8 100644 --- a/rta/exec_susp_msiexec.py +++ b/rta/exec_susp_msiexec.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" msiexec = "C:\\Users\\Public\\msiexec.exe" diff --git a/rta/exec_susp_parent_child.py b/rta/exec_susp_parent_child.py index b07f4ce44..811f625e8 100644 --- a/rta/exec_susp_parent_child.py +++ b/rta/exec_susp_parent_child.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" tiworker = "C:\\Users\\Public\\TiWorker.exe" diff --git a/rta/exec_svchost_child_schedule.py b/rta/exec_svchost_child_schedule.py index 3409cf1c4..ef057f06b 100644 --- a/rta/exec_svchost_child_schedule.py +++ b/rta/exec_svchost_child_schedule.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" common.copy_file(EXE_FILE, svchost) diff --git a/rta/exec_tclsh.py b/rta/exec_tclsh.py index 381b00ef1..0973f3482 100644 --- a/rta/exec_tclsh.py +++ b/rta/exec_tclsh.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/tclsh" diff --git a/rta/exec_unusual_directory.py b/rta/exec_unusual_directory.py index 56824da35..8ecbb312b 100644 --- a/rta/exec_unusual_directory.py +++ b/rta/exec_unusual_directory.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): exe_path = "c:\\windows\\system32\\cscript.exe" binary = "c:\\Users\\Public\\cscript.exe" diff --git a/rta/exec_unusual_path_msmpeng.py b/rta/exec_unusual_path_msmpeng.py index 6bdf1e4ca..efa141a04 100644 --- a/rta/exec_unusual_path_msmpeng.py +++ b/rta/exec_unusual_path_msmpeng.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msmpeng = "C:\\Users\\Public\\MsMpEng.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/exec_vs_prebuildevent.py b/rta/exec_vs_prebuildevent.py index 04b951b74..b54a019e1 100644 --- a/rta/exec_vs_prebuildevent.py +++ b/rta/exec_vs_prebuildevent.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\msbuild.exe" cmd = "C:\\Users\\Public\\cmd.exe" diff --git a/rta/exec_vsls_agent.py b/rta/exec_vsls_agent.py index 79fa3d2af..91800054d 100644 --- a/rta/exec_vsls_agent.py +++ b/rta/exec_vsls_agent.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vslsagent = "C:\\Users\\Public\\vsls-agent.exe" common.copy_file(EXE_FILE, vslsagent) diff --git a/rta/exec_winword_susp_parent.py b/rta/exec_winword_susp_parent.py index 8b8c5aca6..41d4d2a82 100644 --- a/rta/exec_winword_susp_parent.py +++ b/rta/exec_winword_susp_parent.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" winword = "C:\\Users\\Public\\winword.exe" diff --git a/rta/execution_iso_dll_rundll32.py b/rta/execution_iso_dll_rundll32.py index d9151e82d..23049f43a 100644 --- a/rta/execution_iso_dll_rundll32.py +++ b/rta/execution_iso_dll_rundll32.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="8bd17f51-3fc0-46a8-9e1a-662723314ad4", @@ -24,10 +24,10 @@ PROC = 'Invite.lnk' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(ISO) and os.path.exists(PS_SCRIPT): + if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): print(f'[+] - ISO File {ISO} will be mounted and executed via powershell') # import ExecFromISO function that takes two args -ISOFIle pointing to ISO file path and -procname pointing to the filename to execute diff --git a/rta/execution_iso_dll_sideload.py b/rta/execution_iso_dll_sideload.py index 228ddafc9..f60c1875a 100644 --- a/rta/execution_iso_dll_sideload.py +++ b/rta/execution_iso_dll_sideload.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="ba802fb2-f183-420e-947b-da5ce0c74d123", @@ -22,10 +22,10 @@ PROC = 'WER_RTA.exe' # ps script to mount, execute a file and unmount ISO device PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - if os.path.exists(ISO) and os.path.exists(PS_SCRIPT): + if Path(ISO).is_file() and Path(PS_SCRIPT).is_file(): print(f'[+] - ISO File {ISO} will be mounted and executed via powershell') # import ExecFromISO function that takes two args -ISOFIle pointing to ISO file path and -procname pointing to the filename to execute diff --git a/rta/execution_node_child_process.py b/rta/execution_node_child_process.py index 142aaf2e1..c63afdb2e 100644 --- a/rta/execution_node_child_process.py +++ b/rta/execution_node_child_process.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/node" diff --git a/rta/execution_pubprn.py b/rta/execution_pubprn.py index fc6dbb748..c041391ec 100644 --- a/rta/execution_pubprn.py +++ b/rta/execution_pubprn.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/extexport_sideload.py b/rta/extexport_sideload.py index 167794278..e75dc77e3 100644 --- a/rta/extexport_sideload.py +++ b/rta/extexport_sideload.py @@ -22,7 +22,7 @@ RENAMER = common.get_path("bin", "rcedit-x64.exe") EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dll = "C:\\Users\\Public\\sqlite3.dll" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/file_ads_creation.py b/rta/file_ads_creation.py index a6e51fb17..54c65ab6b 100644 --- a/rta/file_ads_creation.py +++ b/rta/file_ads_creation.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_create_dpapi_key.py b/rta/file_create_dpapi_key.py index e0f6ed9be..96820d337 100644 --- a/rta/file_create_dpapi_key.py +++ b/rta/file_create_dpapi_key.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_dpapi = "C:\\Users\\Public\\ntds_capi_test.pfx" diff --git a/rta/file_create_exchange_um.py b/rta/file_create_exchange_um.py index 64ec87067..cb0c9f16a 100644 --- a/rta/file_create_exchange_um.py +++ b/rta/file_create_exchange_um.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="29eb99a6-14cc-4d37-81dd-c2e78cda8c74", @@ -20,13 +20,13 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\UMWorkerProcess.exe" path = "C:\\Users\\Public\\Microsoft\\Exchange Server Test\\FrontEnd\\HttpProxy\\owa\\auth\\" argpath = "C:\\Users\\Public\\Microsoft\\'Exchange Server Test'\\FrontEnd\\HttpProxy\\owa\\auth\\" common.copy_file(EXE_FILE, proc) - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = argpath + "\\shell.php" common.execute([proc, "/c", f"echo AAAAAAAA | Out-File {file}"], timeout=10, kill=True) diff --git a/rta/file_create_exec_pdf_reader.py b/rta/file_create_exec_pdf_reader.py index 178f3e7fa..59773ef1c 100644 --- a/rta/file_create_exec_pdf_reader.py +++ b/rta/file_create_exec_pdf_reader.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rdrcef = "C:\\Users\\Public\\rdrcef.exe" arp = "C:\\Users\\Public\\arp.exe" diff --git a/rta/file_create_lsass_dump.py b/rta/file_create_lsass_dump.py index b086e9f16..a7d893760 100644 --- a/rta/file_create_lsass_dump.py +++ b/rta/file_create_lsass_dump.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_dmp = "C:\\Users\\Public\\lsass_test.dmp" diff --git a/rta/file_create_mimilsa_log.py b/rta/file_create_mimilsa_log.py index 064779e7a..ec6201d66 100644 --- a/rta/file_create_mimilsa_log.py +++ b/rta/file_create_mimilsa_log.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): lsass = "C:\\Users\\Public\\lsass.exe" fake_log = "C:\\Users\\Public\\mimilsa.log" diff --git a/rta/file_create_ms_addins.py b/rta/file_create_ms_addins.py index 44c37b531..1d6bdf97e 100644 --- a/rta/file_create_ms_addins.py +++ b/rta/file_create_ms_addins.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="5432792c-d31a-42cc-a82f-0884ea230493", @@ -17,10 +17,10 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\\\AppData\\Roaming\\Microsoft\\Word\\Startup" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\file.xll" common.copy_file(EXE_FILE, file) diff --git a/rta/file_create_mstsc_startup.py b/rta/file_create_mstsc_startup.py index d9dd0d5e8..f7371f462 100644 --- a/rta/file_create_mstsc_startup.py +++ b/rta/file_create_mstsc_startup.py @@ -5,7 +5,7 @@ from . import common from . import RtaMetadata -import os +from pathlib import Path metadata = RtaMetadata( uuid="55750f93-0545-4222-a1fe-8b25a1c736f0", @@ -17,13 +17,13 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mstsc = "C:\\Users\\Public\\mstsc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" argpath = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup" common.copy_file(EXE_FILE, mstsc) - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = argpath + "\\file.exe" common.execute([mstsc, "/c", f"echo AAAAAAAA | Out-File {file}"], timeout=10, kill=True) diff --git a/rta/file_create_outlook_vba.py b/rta/file_create_outlook_vba.py index 07effea29..851ca871b 100644 --- a/rta/file_create_outlook_vba.py +++ b/rta/file_create_outlook_vba.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="3c40b5fd-afd0-4794-8af3-f7af249edf84", @@ -17,10 +17,10 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Outlook" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\VbaProject.OTM" common.copy_file(EXE_FILE, file) diff --git a/rta/file_create_powershell_profile.py b/rta/file_create_powershell_profile.py index 0f4ee9a25..670420700 100644 --- a/rta/file_create_powershell_profile.py +++ b/rta/file_create_powershell_profile.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="1bc32d6d-c5c9-43c6-bada-6d26469b5dac", @@ -17,10 +17,10 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\Documents\\WindowsPowerShell" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\profile.ps1" common.copy_file(EXE_FILE, file) diff --git a/rta/file_create_scripting_startup.py b/rta/file_create_scripting_startup.py index 05fb8b5c2..488ce62e9 100644 --- a/rta/file_create_scripting_startup.py +++ b/rta/file_create_scripting_startup.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="e56f77bc-d9a7-4e02-97e2-b3056f3d4171", @@ -20,12 +20,12 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" argpath = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = argpath + "\\file.exe" common.execute([powershell, "/c", f"echo AAAAAAAA | Out-File {file}"], timeout=10, kill=True) diff --git a/rta/file_create_smss_exec.py b/rta/file_create_smss_exec.py index b94f5e3f1..ce835d50e 100644 --- a/rta/file_create_smss_exec.py +++ b/rta/file_create_smss_exec.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): smss = "C:\\Users\\Public\\smss.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_create_task_file.py b/rta/file_create_task_file.py index 13690103f..19a0f75eb 100644 --- a/rta/file_create_task_file.py +++ b/rta/file_create_task_file.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Windows\\Tasks\\a.job" common.copy_file(EXE_FILE, path) diff --git a/rta/file_create_vbs_startup.py b/rta/file_create_vbs_startup.py index 4349550fd..ec562dae3 100644 --- a/rta/file_create_vbs_startup.py +++ b/rta/file_create_vbs_startup.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="7cee9313-5e55-472b-9d61-a95b0c9725d6", @@ -20,10 +20,10 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Programs\\Startup" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\a.vbs" common.copy_file(EXE_FILE, file) diff --git a/rta/file_creation_teamviewer.py b/rta/file_creation_teamviewer.py index 31cd3faf4..90e1bd1aa 100644 --- a/rta/file_creation_teamviewer.py +++ b/rta/file_creation_teamviewer.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): teamviewer = "C:\\Users\\Public\\teamviewer.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/file_delete_spool_driver.py b/rta/file_delete_spool_driver.py index bb942dc36..06f5c6ddf 100644 --- a/rta/file_delete_spool_driver.py +++ b/rta/file_delete_spool_driver.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): file = "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\rta.dll" common.copy_file(EXE_FILE, file) diff --git a/rta/file_delete_vbk.py b/rta/file_delete_vbk.py index 905d4dfc1..0c6ecd5c6 100644 --- a/rta/file_delete_vbk.py +++ b/rta/file_delete_vbk.py @@ -3,10 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="a6c80b08-ca72-4c3e-93c7-ac3421e4235e", @@ -20,9 +19,9 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - fakebkp = os.path.abspath("fake.vbk") + fakebkp = Path("fake.vbk").resolve() with open(fakebkp, 'w'): pass common.remove_file(fakebkp) diff --git a/rta/file_exe_ususual_extension.py b/rta/file_exe_ususual_extension.py index 20502c336..57562728e 100644 --- a/rta/file_exe_ususual_extension.py +++ b/rta/file_exe_ususual_extension.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" unusualext = "C:\\Users\\Public\\powershell.exe.pdf" diff --git a/rta/file_html_smuggling.py b/rta/file_html_smuggling.py index 739c75059..5b30f824f 100644 --- a/rta/file_html_smuggling.py +++ b/rta/file_html_smuggling.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): userprofile = os.getenv("USERPROFILE") partial = f"{userprofile}\\Downloads\\a.partial" diff --git a/rta/file_mod_via_chmod.py b/rta/file_mod_via_chmod.py index 18340f9d5..bce455f75 100644 --- a/rta/file_mod_via_chmod.py +++ b/rta/file_mod_via_chmod.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing chmod on tmp files.") diff --git a/rta/file_ms_template_macros.py b/rta/file_ms_template_macros.py index 6362b7c9f..617c82f76 100644 --- a/rta/file_ms_template_macros.py +++ b/rta/file_ms_template_macros.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="858475a2-78a6-40f8-8691-7ce0c631cc0c", @@ -19,10 +19,10 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Templates\\" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\Normal.dotm" common.temporary_file_helper("testing", file_name=file) diff --git a/rta/file_script_startup_folder.py b/rta/file_script_startup_folder.py index 3ed6cc4e3..61af030ba 100644 --- a/rta/file_script_startup_folder.py +++ b/rta/file_script_startup_folder.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="b8dcb997-e099-472e-8f2f-15a80c8dfe1a", @@ -26,13 +26,13 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\" file = path + "\\a.js" common.copy_file(EXE_FILE, proc) - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10) common.remove_files(proc, file) diff --git a/rta/file_susp_browser_extension.py b/rta/file_susp_browser_extension.py index 4eefa1d49..8dfe1a462 100644 --- a/rta/file_susp_browser_extension.py +++ b/rta/file_susp_browser_extension.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="edb804d6-85df-4dca-a521-1b6dfee9f354", @@ -20,13 +20,13 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" path = "C:\\Users\\Public\\AppData\\Roaming\\Mozilla\\Test\\Profiles\\AdefaultA" file = path + "\\extensions.json" common.copy_file(EXE_FILE, proc) - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) common.execute([proc, "/c", f"Copy-Item {EXE_FILE} {file}"], timeout=10) common.remove_files(proc, file) diff --git a/rta/finder_sync_plugin.py b/rta/finder_sync_plugin.py index f4888adb9..bf314bf5e 100644 --- a/rta/finder_sync_plugin.py +++ b/rta/finder_sync_plugin.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/pluginkit" diff --git a/rta/findstr_pw_search.py b/rta/findstr_pw_search.py index e65d53660..68bba4890 100644 --- a/rta/findstr_pw_search.py +++ b/rta/findstr_pw_search.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "c:\\rta" common.log("Searching for passwords on %s" % path) diff --git a/rta/firewall_allowlist_modif_unsigned.py b/rta/firewall_allowlist_modif_unsigned.py index 037eb7985..36928447d 100644 --- a/rta/firewall_allowlist_modif_unsigned.py +++ b/rta/firewall_allowlist_modif_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/fltmc_unload.py b/rta/fltmc_unload.py index db51193d8..c7d9ce35c 100644 --- a/rta/fltmc_unload.py +++ b/rta/fltmc_unload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/git_creds_access.py b/rta/git_creds_access.py index 8ebd6fb53..3777c7751 100644 --- a/rta/git_creds_access.py +++ b/rta/git_creds_access.py @@ -3,10 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="e15ea2ec-c8a9-4203-8d01-d18d1c27fd58", @@ -19,13 +18,13 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" gitpath = "C:\\Users\\Public\\.config\\git" try: - os.makedirs(gitpath) + Path(gitpath).mkdir(parents=True) except Exception: pass gitcreds = gitpath + "\\credentials" diff --git a/rta/globalflags.py b/rta/globalflags.py index 437257a16..b058d2caa 100644 --- a/rta/globalflags.py +++ b/rta/globalflags.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Setting up persistence using Globalflags") ifeo_subkey = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netstat.exe" diff --git a/rta/grep_software_discovery.py b/rta/grep_software_discovery.py index 472261667..fab17c015 100644 --- a/rta/grep_software_discovery.py +++ b/rta/grep_software_discovery.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/grep" diff --git a/rta/hidden_file_mount.py b/rta/hidden_file_mount.py index b6c77acc0..fc979e4ea 100644 --- a/rta/hidden_file_mount.py +++ b/rta/hidden_file_mount.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mount_dir = "/tmp/.exploit" diff --git a/rta/hidden_plist.py b/rta/hidden_plist.py index 8df4bf8bf..4ef1e481c 100644 --- a/rta/hidden_plist.py +++ b/rta/hidden_plist.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): plist_path = f"/Library/LaunchAgents/.test.plist" diff --git a/rta/hosts_file_modify.py b/rta/hosts_file_modify.py index 9505a0c42..d7122e4d7 100644 --- a/rta/hosts_file_modify.py +++ b/rta/hosts_file_modify.py @@ -11,12 +11,10 @@ import os import random import time - +from pathlib import Path from string import ascii_letters -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="f24491d0-720b-4150-a2a1-45b5b07238aa", @@ -35,7 +33,7 @@ def main(): } hosts_file = hosts_files[common.CURRENT_OS] - backup = os.path.abspath(hosts_file + "_backup") + backup = Path(hosts_file + "_backup").resolve() common.log("Backing up original 'hosts' file.") common.copy_file(hosts_file, backup) diff --git a/rta/html_help_file_written_exec.py b/rta/html_help_file_written_exec.py index 3e14d94af..62929ba6d 100644 --- a/rta/html_help_file_written_exec.py +++ b/rta/html_help_file_written_exec.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/image_load_dnguard.py b/rta/image_load_dnguard.py index 19e15a86a..60ebd86cf 100644 --- a/rta/image_load_dnguard.py +++ b/rta/image_load_dnguard.py @@ -23,7 +23,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_msbuild_vaultcli.py b/rta/image_load_msbuild_vaultcli.py index e81d5633c..6a507f8fa 100644 --- a/rta/image_load_msbuild_vaultcli.py +++ b/rta/image_load_msbuild_vaultcli.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\msbuild.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_phantomdll.py b/rta/image_load_phantomdll.py index 68497d96c..d4dfe5d45 100644 --- a/rta/image_load_phantomdll.py +++ b/rta/image_load_phantomdll.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_rdp_client_dll.py b/rta/image_load_rdp_client_dll.py index 6a4b8e605..7e6b1c338 100644 --- a/rta/image_load_rdp_client_dll.py +++ b/rta/image_load_rdp_client_dll.py @@ -18,7 +18,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_script_interpreter_wmiutils.py b/rta/image_load_script_interpreter_wmiutils.py index a5f74d7c5..56f596902 100644 --- a/rta/image_load_script_interpreter_wmiutils.py +++ b/rta/image_load_script_interpreter_wmiutils.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_taskhost.py b/rta/image_load_taskhost.py index c35fdd3c4..6b25b78e6 100644 --- a/rta/image_load_taskhost.py +++ b/rta/image_load_taskhost.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): taskhost1 = "C:\\Users\\Public\\taskhost1.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/image_load_vaultcli.py b/rta/image_load_vaultcli.py index 4ccf98388..245e3ce5f 100644 --- a/rta/image_load_vaultcli.py +++ b/rta/image_load_vaultcli.py @@ -21,7 +21,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/impersonate_trusted_installer.py b/rta/impersonate_trusted_installer.py index 0d8170647..16986a890 100644 --- a/rta/impersonate_trusted_installer.py +++ b/rta/impersonate_trusted_installer.py @@ -48,7 +48,7 @@ def impersonate_trusted_installer(): print(f'[x] - Failed TrustedInstaller Impersonation') pass -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.impersonate_system() startsvc_trustedinstaller() diff --git a/rta/inhibit_system_recovery.py b/rta/inhibit_system_recovery.py index 4429fbd15..de51588ae 100644 --- a/rta/inhibit_system_recovery.py +++ b/rta/inhibit_system_recovery.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Deleting volume shadow copies...") diff --git a/rta/inhibit_system_recovery_and_rename.py b/rta/inhibit_system_recovery_and_rename.py index 079fe2e47..193abefc8 100644 --- a/rta/inhibit_system_recovery_and_rename.py +++ b/rta/inhibit_system_recovery_and_rename.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/inhibit_system_recovery_cmd.py b/rta/inhibit_system_recovery_cmd.py index afa0fbfa3..5e8313158 100644 --- a/rta/inhibit_system_recovery_cmd.py +++ b/rta/inhibit_system_recovery_cmd.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/inhibit_system_recovery_lolbas_child.py b/rta/inhibit_system_recovery_lolbas_child.py index db5cd173c..2160fa37a 100644 --- a/rta/inhibit_system_recovery_lolbas_child.py +++ b/rta/inhibit_system_recovery_lolbas_child.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" cscript = "C:\\Users\\Public\\cscript.exe" diff --git a/rta/inhibit_system_recovery_office.py b/rta/inhibit_system_recovery_office.py index e46fbe2db..a0dd58e4d 100644 --- a/rta/inhibit_system_recovery_office.py +++ b/rta/inhibit_system_recovery_office.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/inhibit_system_recovery_renamed.py b/rta/inhibit_system_recovery_renamed.py index 1d1b9aa60..e443c322a 100644 --- a/rta/inhibit_system_recovery_renamed.py +++ b/rta/inhibit_system_recovery_renamed.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" ren_vssadmin = "C:\\Users\\Public\\renvssadmin.exe" diff --git a/rta/installutil_network.py b/rta/installutil_network.py index b964a166c..725527788 100644 --- a/rta/installutil_network.py +++ b/rta/installutil_network.py @@ -10,12 +10,10 @@ # Elastic detection: Unusual Network Activity from a Windows System Binary # Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil. -import os import sys +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="6dfa88c9-9fb2-4fb0-8bea-0bc45222b498", @@ -38,7 +36,7 @@ metadata = RtaMetadata( MY_DOT_NET = common.get_path("bin", "mydotnet.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_DOT_NET) def main(): server, ip, port = common.serve_web() @@ -56,9 +54,9 @@ def main(): install_util86 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe" fallback = False - if os.path.exists(install_util64): + if Path(install_util64).is_file(): install_util = install_util64 - elif os.path.exists(install_util86): + elif Path(install_util86).is_file(): install_util = install_util86 else: install_util = None @@ -70,7 +68,7 @@ def main(): else: common.log("Unable to find InstallUtil, creating temp file") - install_util = os.path.abspath("InstallUtil.exe") + install_util = Path("InstallUtil.exe").resolve() common.copy_file(sys.executable, install_util) common.execute( [ diff --git a/rta/ip_discovery_unsigned.py b/rta/ip_discovery_unsigned.py index 5f5047eb0..63bfde793 100644 --- a/rta/ip_discovery_unsigned.py +++ b/rta/ip_discovery_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/iqy_file_writes.py b/rta/iqy_file_writes.py index 9afd0bff8..5427443d2 100644 --- a/rta/iqy_file_writes.py +++ b/rta/iqy_file_writes.py @@ -8,11 +8,9 @@ # ATT&CK: T1140, T1192, T1193 # Description: Generates four file writes related to file extensions (PUB, IQY) -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="71f67037-1df3-4d5f-b8cb-eaf295ad16ed", @@ -23,12 +21,12 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Suspicious File Writes (IQY, PUB)") - adobe_path = os.path.abspath("AcroRd32.exe") - msoffice_path = os.path.abspath("winword.exe") - browser_path = os.path.abspath("iexplore.exe") + adobe_path = Path("AcroRd32.exe").resolve() + msoffice_path = Path("winword.exe").resolve() + browser_path = Path("iexplore.exe").resolve() common.copy_file(common.CMD_PATH, adobe_path) common.copy_file(common.CMD_PATH, msoffice_path) common.copy_file(common.CMD_PATH, browser_path) @@ -36,22 +34,22 @@ def main(): # write file as adobe, then run it common.log("Creating a 'suspicious' executable") - bad_path = os.path.abspath("bad.exe") + bad_path = Path("bad.exe").resolve() # PDF writing IQY file - fake_iqy = os.path.abspath("test.iqy") + fake_iqy = Path("test.iqy").resolve() common.execute([adobe_path, "/c", "echo", "test", ">", fake_iqy]) # PDF writing PUB file - fake_pub = os.path.abspath("test.pub") + fake_pub = Path("test.pub").resolve() common.execute([adobe_path, "/c", "echo", "test", ">", fake_pub]) # Winword writing IQY file - fake_doc_iqy = os.path.abspath("test_word.iqy") + fake_doc_iqy = Path("test_word.iqy").resolve() common.execute([msoffice_path, "/c", "echo", "test", ">", fake_doc_iqy]) # Browser writing IQY file - fake_browser_iqy = os.path.abspath("test_browser.iqy") + fake_browser_iqy = Path("test_browser.iqy").resolve() common.execute([browser_path, "/c", "echo", "test", ">", fake_browser_iqy]) # cleanup diff --git a/rta/javascript_payload.py b/rta/javascript_payload.py index 22f38832e..4bba705b2 100644 --- a/rta/javascript_payload.py +++ b/rta/javascript_payload.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Setup web server common.serve_web() diff --git a/rta/kcc_kerberos_dump.py b/rta/kcc_kerberos_dump.py index 835aea334..57e8fde3b 100644 --- a/rta/kcc_kerberos_dump.py +++ b/rta/kcc_kerberos_dump.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/kcc" diff --git a/rta/kerberos_netconn_file_creation.py b/rta/kerberos_netconn_file_creation.py index 01f5bd716..ea14a3335 100644 --- a/rta/kerberos_netconn_file_creation.py +++ b/rta/kerberos_netconn_file_creation.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/kernel_module_removal_execution.py b/rta/kernel_module_removal_execution.py index a0076f31d..d96c38bbc 100644 --- a/rta/kernel_module_removal_execution.py +++ b/rta/kernel_module_removal_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/rmmod" diff --git a/rta/kernelext_agent_unload.py b/rta/kernelext_agent_unload.py index a0f80d027..519096b26 100644 --- a/rta/kernelext_agent_unload.py +++ b/rta/kernelext_agent_unload.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/kextunload" diff --git a/rta/kext_load.py b/rta/kext_load.py index 07dd1f3d9..d49ca9c05 100644 --- a/rta/kext_load.py +++ b/rta/kext_load.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/keychain_cred_access.py b/rta/keychain_cred_access.py index eabfde995..978be6c46 100644 --- a/rta/keychain_cred_access.py +++ b/rta/keychain_cred_access.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/keychain_dump.py b/rta/keychain_dump.py index 07639b4ab..922f59fc3 100644 --- a/rta/keychain_dump.py +++ b/rta/keychain_dump.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/keychain_pwd_cmdline.py b/rta/keychain_pwd_cmdline.py index 70e9457e1..59e33dbc2 100644 --- a/rta/keychain_pwd_cmdline.py +++ b/rta/keychain_pwd_cmdline.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/security" diff --git a/rta/lateral_command_psexec.py b/rta/lateral_command_psexec.py index 3a7e5cb60..4c95fccb4 100755 --- a/rta/lateral_command_psexec.py +++ b/rta/lateral_command_psexec.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(remote_host=None): remote_host = remote_host or common.get_ip() diff --git a/rta/lateral_commands.py b/rta/lateral_commands.py index ce81874bd..649d4658c 100644 --- a/rta/lateral_commands.py +++ b/rta/lateral_commands.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(remote_host=None): remote_host = remote_host or common.get_ip() diff --git a/rta/launchagent_plist.py b/rta/launchagent_plist.py index 99e3a62c4..8483efb79 100644 --- a/rta/launchagent_plist.py +++ b/rta/launchagent_plist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/launchd_load_plist.py b/rta/launchd_load_plist.py index 268b70be2..294cb195b 100644 --- a/rta/launchd_load_plist.py +++ b/rta/launchd_load_plist.py @@ -39,7 +39,7 @@ plist = """ """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): plist_name = "com.test.plist" daemon_dir = Path("/", "Library", "LaunchDaemons").expanduser() diff --git a/rta/launchdaemon_persistence.py b/rta/launchdaemon_persistence.py index fde4f3c53..42dca5963 100644 --- a/rta/launchdaemon_persistence.py +++ b/rta/launchdaemon_persistence.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/launchctl" diff --git a/rta/ldapsearch_group_enumeration.py b/rta/ldapsearch_group_enumeration.py index 7b2da0f89..87d09d2d7 100644 --- a/rta/ldapsearch_group_enumeration.py +++ b/rta/ldapsearch_group_enumeration.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ldapsearch" diff --git a/rta/link_to_tmp.py b/rta/link_to_tmp.py index eccc4df72..c6a3c208f 100644 --- a/rta/link_to_tmp.py +++ b/rta/link_to_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ln" diff --git a/rta/linux_compress_sensitive_files.py b/rta/linux_compress_sensitive_files.py index aa730c39e..99802ebbb 100644 --- a/rta/linux_compress_sensitive_files.py +++ b/rta/linux_compress_sensitive_files.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Compressing sensitive files") files = ["totally-legit.tar", "official-business.zip", "expense-reports.gz"] diff --git a/rta/login_hook.py b/rta/login_hook.py index 3a1447533..deee6b744 100644 --- a/rta/login_hook.py +++ b/rta/login_hook.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/defaults" diff --git a/rta/login_window_plist.py b/rta/login_window_plist.py index b92846bb1..5cc8da5d6 100644 --- a/rta/login_window_plist.py +++ b/rta/login_window_plist.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /tmp/com.apple.loginwindow.plist file.") diff --git a/rta/lua_image_load.py b/rta/lua_image_load.py index 39dfccfa6..fe36b145e 100644 --- a/rta/lua_image_load.py +++ b/rta/lua_image_load.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/mac_office_descendant.py b/rta/mac_office_descendant.py index 47dafc0dd..2bfa69308 100644 --- a/rta/mac_office_descendant.py +++ b/rta/mac_office_descendant.py @@ -7,11 +7,9 @@ # RTA: mac_office_descendant.py # Description: Creates a suspicious process spawned from "Microsoft Word" -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="bb523eb1-db67-4ae6-9369-af1a93322817", @@ -22,10 +20,10 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Emulating Microsoft Word running enumeration commands") - office_path = os.path.abspath("Microsoft Word") + office_path = Path("Microsoft Word").resolve() common.copy_file("/bin/sh", office_path) common.execute([office_path], stdin="whoami") diff --git a/rta/macos_installer_curl.py b/rta/macos_installer_curl.py index 58d75b429..05cd75857 100644 --- a/rta/macos_installer_curl.py +++ b/rta/macos_installer_curl.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/mimikatz_cmdline.py b/rta/mimikatz_cmdline.py index a725f9939..e2a17047d 100644 --- a/rta/mimikatz_cmdline.py +++ b/rta/mimikatz_cmdline.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/mimipenguin_execution.py b/rta/mimipenguin_execution.py index d96859b90..792b70d4c 100644 --- a/rta/mimipenguin_execution.py +++ b/rta/mimipenguin_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ps" diff --git a/rta/modification_of_wdigest_security_provider.py b/rta/modification_of_wdigest_security_provider.py index be66302ef..e8c77739a 100644 --- a/rta/modification_of_wdigest_security_provider.py +++ b/rta/modification_of_wdigest_security_provider.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" value = "UseLogonCredential" diff --git a/rta/modify_bootconf.py b/rta/modify_bootconf.py index c832fec4e..ead87d16d 100644 --- a/rta/modify_bootconf.py +++ b/rta/modify_bootconf.py @@ -3,11 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="672cd0e6-fa5a-468f-80c8-04f92bead469", @@ -27,7 +25,7 @@ def main(): # Messing with the boot configuration is not a great idea so create a backup: common.log("Exporting the boot configuration....") - backup_file = os.path.abspath("boot.cfg") + backup_file = Path("boot.cfg").resolve() common.execute([bcdedit, "/export", backup_file]) # WARNING: this sets up computer to boot into Safe Mode upon reboot diff --git a/rta/modify_sublime_app.py b/rta/modify_sublime_app.py index 332d38811..05463781c 100644 --- a/rta/modify_sublime_app.py +++ b/rta/modify_sublime_app.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sublime_dir = Path(f"{Path.home()}/Library/Application Support/Sublime Text 4/") diff --git a/rta/mount_smbfs.py b/rta/mount_smbfs.py index 93606713c..a584580c5 100644 --- a/rta/mount_smbfs.py +++ b/rta/mount_smbfs.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/mount_smbfs" diff --git a/rta/ms_office_drop_exe.py b/rta/ms_office_drop_exe.py index 7d0e1a438..5d98e57a6 100644 --- a/rta/ms_office_drop_exe.py +++ b/rta/ms_office_drop_exe.py @@ -10,10 +10,9 @@ import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="ce85674f-fb6c-44d5-b880-4ce9062e1028", @@ -29,16 +28,16 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd_path = "c:\\windows\\system32\\cmd.exe" for office_app in ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"]: common.log("Emulating office application %s" % office_app) - office_path = os.path.abspath(office_app) + office_path = Path(office_app).resolve() common.copy_file(cmd_path, office_path) - bad_path = os.path.abspath("bad-{}-{}.exe".format(hash(office_app), os.getpid())) + bad_path = Path("bad-{}-{}.exe".format(hash(office_app), os.getpid())).resolve() common.execute([office_path, "/c", "copy", cmd_path, bad_path]) time.sleep(1) diff --git a/rta/ms_office_task_creation.py b/rta/ms_office_task_creation.py index 91863e921..57753c42c 100644 --- a/rta/ms_office_task_creation.py +++ b/rta/ms_office_task_creation.py @@ -28,7 +28,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" svchost = "C:\\Users\\Public\\svchost.exe" diff --git a/rta/msbuild_network.py b/rta/msbuild_network.py index 8e79375e8..30d123795 100644 --- a/rta/msbuild_network.py +++ b/rta/msbuild_network.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( MS_BUILD = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MS_BUILD) def main(): common.log("MsBuild Beacon") diff --git a/rta/msbuild_unusual_args.py b/rta/msbuild_unusual_args.py index 4f277f6f8..177e24809 100644 --- a/rta/msbuild_unusual_args.py +++ b/rta/msbuild_unusual_args.py @@ -22,7 +22,7 @@ RENAMER = common.get_path("bin", "rcedit-x64.exe") EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msbuild = "C:\\Users\\Public\\posh.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/msequationeditor_file_written_exec.py b/rta/msequationeditor_file_written_exec.py index 5e6cc40d5..0ef3f8051 100644 --- a/rta/msequationeditor_file_written_exec.py +++ b/rta/msequationeditor_file_written_exec.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/msequationeditor_net_conn.py b/rta/msequationeditor_net_conn.py index 6c70e01e6..9bd9fea82 100644 --- a/rta/msequationeditor_net_conn.py +++ b/rta/msequationeditor_net_conn.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): eqnedt32 = "C:\\Users\\Public\\eqnedt32.exe" diff --git a/rta/mshta_network.py b/rta/mshta_network.py index 3f3b4bcd6..b0618d820 100644 --- a/rta/mshta_network.py +++ b/rta/mshta_network.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(HTA_FILE) def main(): # http server will terminate on main thread exit diff --git a/rta/msiexec_http_installer.py b/rta/msiexec_http_installer.py index 989d6aba4..2e812750b 100644 --- a/rta/msiexec_http_installer.py +++ b/rta/msiexec_http_installer.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("MsiExec HTTP Download") server, ip, port = common.serve_web() diff --git a/rta/msiexec_remote_msi.py b/rta/msiexec_remote_msi.py index 732616f46..458cb7fce 100644 --- a/rta/msiexec_remote_msi.py +++ b/rta/msiexec_remote_msi.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command diff --git a/rta/msiexec_remote_msi_install.py b/rta/msiexec_remote_msi_install.py index fa54d9ea8..a5fa6dd87 100644 --- a/rta/msiexec_remote_msi_install.py +++ b/rta/msiexec_remote_msi_install.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Users\\Public\\msiexec.exe" common.copy_file(EXE_FILE, msiexec) diff --git a/rta/msoffice_addins_file.py b/rta/msoffice_addins_file.py index 99a0239f6..7ef4695ce 100644 --- a/rta/msoffice_addins_file.py +++ b/rta/msoffice_addins_file.py @@ -3,9 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +from pathlib import Path + +from . import RtaMetadata, common metadata = RtaMetadata( uuid="97979b30-908d-4c57-a33a-f3b78e55a84a", @@ -20,10 +20,10 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): path = "C:\\Users\\Public\\AppData\\Roaming\\Microsoft\\Word\\Startup" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) file = path + "\\file.exe" common.copy_file(EXE_FILE, file) diff --git a/rta/msoffice_dcom_accessvbom.py b/rta/msoffice_dcom_accessvbom.py index 27d6e23fd..ad3e015ed 100644 --- a/rta/msoffice_dcom_accessvbom.py +++ b/rta/msoffice_dcom_accessvbom.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" common.copy_file(EXE_FILE, winword) diff --git a/rta/msoffice_descendant_reg_mod_persistence.py b/rta/msoffice_descendant_reg_mod_persistence.py index 0fb97782e..5b347ada0 100644 --- a/rta/msoffice_descendant_reg_mod_persistence.py +++ b/rta/msoffice_descendant_reg_mod_persistence.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" posh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/msoffice_dll_image_load.py b/rta/msoffice_dll_image_load.py index 46b04259c..da7d288f9 100644 --- a/rta/msoffice_dll_image_load.py +++ b/rta/msoffice_dll_image_load.py @@ -24,7 +24,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msoffice_file_dll_sideload.py b/rta/msoffice_file_dll_sideload.py index 80a8f6e4e..af5b27945 100644 --- a/rta/msoffice_file_dll_sideload.py +++ b/rta/msoffice_file_dll_sideload.py @@ -31,7 +31,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msoffice_file_drop_exec_wmi.py b/rta/msoffice_file_drop_exec_wmi.py index 2684d95be..ce1743bc4 100644 --- a/rta/msoffice_file_drop_exec_wmi.py +++ b/rta/msoffice_file_drop_exec_wmi.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/msoffice_file_exec_script_interpreter.py b/rta/msoffice_file_exec_script_interpreter.py index 3354785af..c5bedadad 100644 --- a/rta/msoffice_file_exec_script_interpreter.py +++ b/rta/msoffice_file_exec_script_interpreter.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/msoffice_potential_proc_inj.py b/rta/msoffice_potential_proc_inj.py index 36af034fb..ec1a37907 100644 --- a/rta/msoffice_potential_proc_inj.py +++ b/rta/msoffice_potential_proc_inj.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/msoffice_reg_mod.py b/rta/msoffice_reg_mod.py index e51dca639..0aa2b3edc 100644 --- a/rta/msoffice_reg_mod.py +++ b/rta/msoffice_reg_mod.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" common.copy_file(EXE_FILE, winword) diff --git a/rta/msoffice_signed_binary_spawn.py b/rta/msoffice_signed_binary_spawn.py index c03311f46..7bf1ddade 100644 --- a/rta/msoffice_signed_binary_spawn.py +++ b/rta/msoffice_signed_binary_spawn.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" temposh = "C:\\Users\\Public\\posh.exe" diff --git a/rta/msoffice_startup_persistence.py b/rta/msoffice_startup_persistence.py index edd9fff49..62ff4d292 100644 --- a/rta/msoffice_startup_persistence.py +++ b/rta/msoffice_startup_persistence.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\posh.exe" temp = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp_persist.exe" diff --git a/rta/msoffice_untrusted_exec.py b/rta/msoffice_untrusted_exec.py index fa9a77656..2c498351b 100644 --- a/rta/msoffice_untrusted_exec.py +++ b/rta/msoffice_untrusted_exec.py @@ -29,7 +29,7 @@ EXE_FILE = common.get_path("bin", "regsvr32.exe") EXE_FILE2 = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE2, binary) diff --git a/rta/msoffice_wmi_imageload.py b/rta/msoffice_wmi_imageload.py index cc8696b7f..26bfd0a02 100644 --- a/rta/msoffice_wmi_imageload.py +++ b/rta/msoffice_wmi_imageload.py @@ -19,7 +19,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): winword = "C:\\Users\\Public\\winword.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msxsl_image_load.py b/rta/msxsl_image_load.py index a0fad0c36..9d1e007d4 100644 --- a/rta/msxsl_image_load.py +++ b/rta/msxsl_image_load.py @@ -23,7 +23,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msxsl = "C:\\Users\\Public\\msxsl.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/msxsl_network.py b/rta/msxsl_network.py index 04f044b63..129d20a35 100644 --- a/rta/msxsl_network.py +++ b/rta/msxsl_network.py @@ -26,7 +26,7 @@ XML_FILE = common.get_path("bin", "customers.xml") XSL_FILE = common.get_path("bin", "cscript.xsl") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MS_XSL, XML_FILE, XSL_FILE) def main(): common.log("MsXsl Beacon") diff --git a/rta/net_user_add.py b/rta/net_user_add.py index a3f5f89ca..f813740a9 100644 --- a/rta/net_user_add.py +++ b/rta/net_user_add.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating local and domain user accounts using net.exe") commands = [ diff --git a/rta/network_connection_desktopimgdownldr.py b/rta/network_connection_desktopimgdownldr.py index 29074b548..58a5e09ff 100644 --- a/rta/network_connection_desktopimgdownldr.py +++ b/rta/network_connection_desktopimgdownldr.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): desktopimgdownldr = "C:\\Users\\Public\\desktopimgdownldr.exe" common.copy_file(EXE_FILE, desktopimgdownldr) diff --git a/rta/network_connection_download_powershell.py b/rta/network_connection_download_powershell.py index 3fa4d47f0..c692318a4 100644 --- a/rta/network_connection_download_powershell.py +++ b/rta/network_connection_download_powershell.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/network_connection_download_script_interpreter.py b/rta/network_connection_download_script_interpreter.py index ae7afbd54..2e2fb9bf5 100644 --- a/rta/network_connection_download_script_interpreter.py +++ b/rta/network_connection_download_script_interpreter.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wscript = "C:\\Users\\Public\\wscript.exe" fake_exe = "C:\\Users\\Public\\a.exe" diff --git a/rta/network_connection_external_ip_lookup_non_browser.py b/rta/network_connection_external_ip_lookup_non_browser.py index 2e2e4545c..ebb907798 100644 --- a/rta/network_connection_external_ip_lookup_non_browser.py +++ b/rta/network_connection_external_ip_lookup_non_browser.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_freesslcert.py b/rta/network_connection_freesslcert.py index 2579959fe..2e28f4ce3 100644 --- a/rta/network_connection_freesslcert.py +++ b/rta/network_connection_freesslcert.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_iexplore_rundll32.py b/rta/network_connection_iexplore_rundll32.py index 597478f60..26695b169 100644 --- a/rta/network_connection_iexplore_rundll32.py +++ b/rta/network_connection_iexplore_rundll32.py @@ -22,7 +22,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" iexplore = "C:\\Users\\Public\\iexplore.exe" diff --git a/rta/network_connection_kerberos_port.py b/rta/network_connection_kerberos_port.py index 9eb7867a0..0a60d994c 100644 --- a/rta/network_connection_kerberos_port.py +++ b/rta/network_connection_kerberos_port.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_nslookup.py b/rta/network_connection_nslookup.py index d4544c93a..86e190365 100644 --- a/rta/network_connection_nslookup.py +++ b/rta/network_connection_nslookup.py @@ -15,7 +15,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): nslookup = "C:\\Windows\\System32\\nslookup.exe" diff --git a/rta/network_connection_process_unusual_args.py b/rta/network_connection_process_unusual_args.py index e983340a7..1a10e7eb7 100644 --- a/rta/network_connection_process_unusual_args.py +++ b/rta/network_connection_process_unusual_args.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Making connection using fake regsvr32.exe") diff --git a/rta/network_connection_rdp_tunneling.py b/rta/network_connection_rdp_tunneling.py index fe6ae5da2..f2dc65a9b 100644 --- a/rta/network_connection_rdp_tunneling.py +++ b/rta/network_connection_rdp_tunneling.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/network_connection_unusual_rundll32.py b/rta/network_connection_unusual_rundll32.py index 2d9466c6f..5665298b8 100644 --- a/rta/network_connection_unusual_rundll32.py +++ b/rta/network_connection_unusual_rundll32.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "rundll32.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/networksetup_vpn.py b/rta/networksetup_vpn.py index 9582fe084..b183eb07c 100644 --- a/rta/networksetup_vpn.py +++ b/rta/networksetup_vpn.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/networksetup" diff --git a/rta/obfuscated_cmd_commands.py b/rta/obfuscated_cmd_commands.py index 76881d011..1eb63b827 100644 --- a/rta/obfuscated_cmd_commands.py +++ b/rta/obfuscated_cmd_commands.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # All encoded versions of the following: `start calc && ping -n 2 127.0.0.1>nul && taskkill /im calc.exe` commands = """ diff --git a/rta/obfuscated_powershell.py b/rta/obfuscated_powershell.py index 3a7df1ffc..c2b558353 100644 --- a/rta/obfuscated_powershell.py +++ b/rta/obfuscated_powershell.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # All encoded versions of the following: # `iex("Write-Host 'This is my test command' -ForegroundColor Green; start c:\windows\system32\calc")` diff --git a/rta/office_app_execution.py b/rta/office_app_execution.py index 79a97656b..afabe7be7 100644 --- a/rta/office_app_execution.py +++ b/rta/office_app_execution.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/Microsoft PowerPoint" diff --git a/rta/office_application_startup.py b/rta/office_application_startup.py index 0c8c4c01c..8eaca8621 100644 --- a/rta/office_application_startup.py +++ b/rta/office_application_startup.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(dll_location="c:\\windows\\temp\\evil.dll"): # Write evil dll to office test path: subkey = "Software\\Microsoft\\Office Test\\Special\\Perf" diff --git a/rta/office_child_process.py b/rta/office_child_process.py index 03a79cf78..e81e66e72 100644 --- a/rta/office_child_process.py +++ b/rta/office_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/openssl_decode_payload.py b/rta/openssl_decode_payload.py index 6a522427d..7c08c5b9f 100644 --- a/rta/openssl_decode_payload.py +++ b/rta/openssl_decode_payload.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/openssl" diff --git a/rta/openssl_file_drop.py b/rta/openssl_file_drop.py index 9a6a898dd..5a9631653 100644 --- a/rta/openssl_file_drop.py +++ b/rta/openssl_file_drop.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/testbin" diff --git a/rta/opera_child_process.py b/rta/opera_child_process.py index 2b9c654a0..43d7768ce 100644 --- a/rta/opera_child_process.py +++ b/rta/opera_child_process.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/osascript_hidden_login_item.py b/rta/osascript_hidden_login_item.py index 70c8088a6..aaad0ecd6 100644 --- a/rta/osascript_hidden_login_item.py +++ b/rta/osascript_hidden_login_item.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/osascript_net_conn.py b/rta/osascript_net_conn.py index 7b5cccd43..85277e0ff 100644 --- a/rta/osascript_net_conn.py +++ b/rta/osascript_net_conn.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/osascript_sh_execution.py b/rta/osascript_sh_execution.py index 3cd6cddc7..661043a14 100644 --- a/rta/osascript_sh_execution.py +++ b/rta/osascript_sh_execution.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/osascript_suspicious_cmdline.py b/rta/osascript_suspicious_cmdline.py index 8c6945bb6..cfa85ea0d 100644 --- a/rta/osascript_suspicious_cmdline.py +++ b/rta/osascript_suspicious_cmdline.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/osascript" diff --git a/rta/outlook_suspicious_child.py b/rta/outlook_suspicious_child.py index b3170ee3a..719ea6467 100644 --- a/rta/outlook_suspicious_child.py +++ b/rta/outlook_suspicious_child.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): outlook = "C:\\Users\\Public\\outlook.exe" svchost = "C:\\Users\\Public\\svchost.exe" diff --git a/rta/overlayfs_privesc.py b/rta/overlayfs_privesc.py new file mode 100644 index 000000000..5e318faf3 --- /dev/null +++ b/rta/overlayfs_privesc.py @@ -0,0 +1,53 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata +import subprocess + + +metadata = RtaMetadata( + uuid="a78663dc-9561-40a9-b4eb-f15e31c690cc", + platforms=["linux"], + endpoint=[{"rule_name": "Potential Privilege Escalation via OverlayFS", "rule_id": "ca9de348-a09d-4c67-af21-5645b70003d0"}], + siem=[{"rule_name": "Potential Privilege Escalation via OverlayFS", "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57"}], + techniques=["T1068"], +) + +@common.requires_os(metadata.platforms) + +def main(): + common.log("Creating a fake unshare executable..") + masquerade = "/tmp/unshare" + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + + # Execute command + commands = [ + masquerade, + '-rm', + 'cap_setuid' + ] + + common.log("Launching fake commands to set cap_setuid via unshare") + common.execute([*commands], timeout=2, kill=True) + common.log("Unshare simulation succesful") + + common.log("Faking uid change via same parent") + + sudo_commands = [ + "sudo", + "su" + ] + + subprocess.run(sudo_commands, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + common.log("Uid change simulation succesful") + + # cleanup + common.remove_file(masquerade) + +if __name__ == "__main__": + exit(main()) diff --git a/rta/path_passed_to_system.py b/rta/path_passed_to_system.py index 5a540e290..b23957773 100644 --- a/rta/path_passed_to_system.py +++ b/rta/path_passed_to_system.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/payload_decode_bash_cmds.py b/rta/payload_decode_bash_cmds.py index e810b0049..73ada0793 100644 --- a/rta/payload_decode_bash_cmds.py +++ b/rta/payload_decode_bash_cmds.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/periodic_task_creation.py b/rta/periodic_task_creation.py index 1e21b8f72..eae2b4553 100644 --- a/rta/periodic_task_creation.py +++ b/rta/periodic_task_creation.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on periodic file test.conf to mimic periodic tasks creation") diff --git a/rta/persistence_chrome_extension.py b/rta/persistence_chrome_extension.py index d26088e1c..98da3fc7c 100644 --- a/rta/persistence_chrome_extension.py +++ b/rta/persistence_chrome_extension.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing chrome commands to load suspicious ext.") diff --git a/rta/persistence_mail_plist.py b/rta/persistence_mail_plist.py index c4632c0b8..5a4a83fa1 100644 --- a/rta/persistence_mail_plist.py +++ b/rta/persistence_mail_plist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing file modification on SyncedRules.plist file.") diff --git a/rta/persistence_plist_masquerade.py b/rta/persistence_plist_masquerade.py index 6ef917de4..4a029a321 100644 --- a/rta/persistence_plist_masquerade.py +++ b/rta/persistence_plist_masquerade.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/persistence_startup_item.py b/rta/persistence_startup_item.py index 1c50e2c72..b497a36de 100644 --- a/rta/persistence_startup_item.py +++ b/rta/persistence_startup_item.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing creation on temp StartupParameters.plist file.") diff --git a/rta/persistence_startup_unusual_process.py b/rta/persistence_startup_unusual_process.py index 325ed3e49..0cc1f5b9b 100644 --- a/rta/persistence_startup_unusual_process.py +++ b/rta/persistence_startup_unusual_process.py @@ -34,7 +34,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" tempowershell = "C:\\Windows\\notp0sh.exe" diff --git a/rta/persistent_scripts.py b/rta/persistent_scripts.py index ac7fc765a..6e696c6f4 100644 --- a/rta/persistent_scripts.py +++ b/rta/persistent_scripts.py @@ -9,10 +9,9 @@ import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="2ab62c28-1abb-4ac5-a16d-2f4f75d01d02", @@ -27,7 +26,7 @@ VBS = common.get_path("bin", "persistent_script.vbs") NAME = "rta-vbs-persistence" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC, VBS) def main(): common.log("Persistent Scripts") @@ -38,7 +37,7 @@ def main(): # Remove any existing profiles user_profile = os.environ["USERPROFILE"] - log_file = os.path.join(user_profile, NAME + ".log") + log_file = Path(user_profile) / NAME / ".log" # Remove log file if exists common.remove_file(log_file) diff --git a/rta/ping_delayed_exec.py b/rta/ping_delayed_exec.py index 273dd81fa..635873e0e 100644 --- a/rta/ping_delayed_exec.py +++ b/rta/ping_delayed_exec.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/pkexec_shell.py b/rta/pkexec_shell.py index de2bde6a7..c50f300d9 100644 --- a/rta/pkexec_shell.py +++ b/rta/pkexec_shell.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing command to simulate privilege escalation via PKEXEC exploitation") # The exploit reproduction is available for commercial usage via MIT License diff --git a/rta/pkg_install_chmod.py b/rta/pkg_install_chmod.py index 1bc9870cf..45be4e6b7 100644 --- a/rta/pkg_install_chmod.py +++ b/rta/pkg_install_chmod.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dest_file = "/tmp/test.py" diff --git a/rta/plist_creation.py b/rta/plist_creation.py index 8d57c16e5..3e7dd59ce 100644 --- a/rta/plist_creation.py +++ b/rta/plist_creation.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): launch_agents_dir = Path.home() / "Library" / "Launchagents" plistbuddy_bin = "/usr/libexec/PlistBuddy" diff --git a/rta/plistbuddy_file_modification.py b/rta/plistbuddy_file_modification.py index 1e09e76d6..c03a87dbc 100644 --- a/rta/plistbuddy_file_modification.py +++ b/rta/plistbuddy_file_modification.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/plistbuddy" diff --git a/rta/port_monitor.py b/rta/port_monitor.py index 16bdebbb3..e51147a74 100644 --- a/rta/port_monitor.py +++ b/rta/port_monitor.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing registry key and dummy dll") diff --git a/rta/powershell_args.py b/rta/powershell_args.py index c2f5ce327..deadc64ab 100644 --- a/rta/powershell_args.py +++ b/rta/powershell_args.py @@ -9,11 +9,9 @@ # Description: Calls PowerShell with suspicious command line arguments. import base64 -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="5efc844c-0c11-4f84-a904-ada611315298", @@ -28,10 +26,10 @@ def encode(command): return base64.b64encode(command.encode("utf-16le")) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("PowerShell Suspicious Commands") - temp_script = os.path.abspath("tmp.ps1") + temp_script = Path("tmp.ps1").resolve() # Create an empty script with open(temp_script, "w") as f: diff --git a/rta/powershell_base64_gzip.py b/rta/powershell_base64_gzip.py index 380d4b8d1..b5efea1e2 100644 --- a/rta/powershell_base64_gzip.py +++ b/rta/powershell_base64_gzip.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("PowerShell with base64/gzip") diff --git a/rta/powershell_delete_shadow_copy.py b/rta/powershell_delete_shadow_copy.py index 6142d212c..4d2370273 100644 --- a/rta/powershell_delete_shadow_copy.py +++ b/rta/powershell_delete_shadow_copy.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/powershell_from_script.py b/rta/powershell_from_script.py index 5693f97cb..709a583ba 100644 --- a/rta/powershell_from_script.py +++ b/rta/powershell_from_script.py @@ -9,12 +9,10 @@ # ATT&CK: T1064, T1192, T1193 # Description: Creates a javascript file that will launch powershell. -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="161c5972-6bfe-47b5-92bd-e0399e025dec", @@ -25,10 +23,10 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Write script - script_file = os.path.abspath("launchpowershell.vbs") + script_file = Path("launchpowershell.vbs").resolve() script = """Set objShell = CreateObject("Wscript.shell") objShell.run("powershell echo 'Doing evil things...'; sleep 3") """ diff --git a/rta/powershell_unsigned_defender_exclusion.py b/rta/powershell_unsigned_defender_exclusion.py index 53ba8527a..22d4dc078 100644 --- a/rta/powershell_unsigned_defender_exclusion.py +++ b/rta/powershell_unsigned_defender_exclusion.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/powershell_vault_access.py b/rta/powershell_vault_access.py index 937992cad..392818241 100644 --- a/rta/powershell_vault_access.py +++ b/rta/powershell_vault_access.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/privilege_escalation_remote_thread.py b/rta/privilege_escalation_remote_thread.py index c24592ea0..2753b4505 100644 --- a/rta/privilege_escalation_remote_thread.py +++ b/rta/privilege_escalation_remote_thread.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): if platform.processor() == "arm": diff --git a/rta/privilege_escalation_tcc_bypass.py b/rta/privilege_escalation_tcc_bypass.py index 323dea346..38818d41f 100644 --- a/rta/privilege_escalation_tcc_bypass.py +++ b/rta/privilege_escalation_tcc_bypass.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /tmp/TCC.db file.") diff --git a/rta/process_double_extension.py b/rta/process_double_extension.py index 6f67aefea..c4acc2cee 100644 --- a/rta/process_double_extension.py +++ b/rta/process_double_extension.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp_x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): anomalies = ["test.txt.exe"] diff --git a/rta/process_extension_anomalies.py b/rta/process_extension_anomalies.py index 7864464a7..6bd209f19 100644 --- a/rta/process_extension_anomalies.py +++ b/rta/process_extension_anomalies.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( MY_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): anomalies = [ diff --git a/rta/process_name_masquerade.py b/rta/process_name_masquerade.py index dc4e8cdef..9c2ca9bee 100644 --- a/rta/process_name_masquerade.py +++ b/rta/process_name_masquerade.py @@ -3,11 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="98adf0ff-2d8e-4eea-8d68-42084204bb74", @@ -24,12 +22,12 @@ metadata = RtaMetadata( CMD_PATH = "c:\\windows\\system32\\cmd.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerades = ["svchost.exe", "lsass.exe"] for name in masquerades: - path = os.path.abspath(name) + path = Path(name).resolve() common.copy_file(CMD_PATH, path) common.execute(path, timeout=3, kill=True) common.remove_file(path) diff --git a/rta/ransomnote_delete_shadows.py b/rta/ransomnote_delete_shadows.py index 709eb6368..da75a47f8 100644 --- a/rta/ransomnote_delete_shadows.py +++ b/rta/ransomnote_delete_shadows.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): vssadmin = "C:\\Windows\\System32\\vssadmin.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/recycle_bin_process.py b/rta/recycle_bin_process.py index 9c3837ff1..3097f482d 100644 --- a/rta/recycle_bin_process.py +++ b/rta/recycle_bin_process.py @@ -8,12 +8,10 @@ # ATT&CK: T1158 # Description: Executes mock malware from the "C:\Recycler\" and "C:\$RECYCLE.BIN\" subdirectories. -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="790cbe6f-ee44-4654-9998-039236dbe0d8", @@ -33,13 +31,13 @@ RECYCLE_PATHS = ["C:\\$Recycle.Bin", "C:\\Recycler"] TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(TARGET_APP, common.CMD_PATH) def main(): common.log("Execute files from the Recycle Bin") target_dir = None for recycle_path in RECYCLE_PATHS: - if os.path.exists(recycle_path): + if Path(recycle_path).exists(): target_dir = common.find_writeable_directory(recycle_path) if target_dir: break @@ -58,7 +56,7 @@ def main(): source_path = command[0] arguments = command[1:] - target_path = os.path.join(target_dir, "recycled_process.exe") + target_path = Path(target_dir) / "recycled_process.exe" common.copy_file(source_path, target_path) arguments.insert(0, target_path) common.execute(arguments) diff --git a/rta/reg_creation_servicedll.py b/rta/reg_creation_servicedll.py index d0f0b41e7..f51b6ed9e 100644 --- a/rta/reg_creation_servicedll.py +++ b/rta/reg_creation_servicedll.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Service DLL reg key...") diff --git a/rta/reg_mod_amsienable.py b/rta/reg_mod_amsienable.py index 74a77b3c1..05a21e133 100644 --- a/rta/reg_mod_amsienable.py +++ b/rta/reg_mod_amsienable.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\Windows Script\\Settings" value = "AmsiEnable" diff --git a/rta/reg_mod_appcertdlls.py b/rta/reg_mod_appcertdlls.py index 9ca7cf12a..758ab5316 100644 --- a/rta/reg_mod_appcertdlls.py +++ b/rta/reg_mod_appcertdlls.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" value = "RTA" diff --git a/rta/reg_mod_appinitdlls.py b/rta/reg_mod_appinitdlls.py index 6a81ddc51..ef8208fc8 100644 --- a/rta/reg_mod_appinitdlls.py +++ b/rta/reg_mod_appinitdlls.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" value = "AppInit_Dlls" diff --git a/rta/reg_mod_autodialdll.py b/rta/reg_mod_autodialdll.py index 9e8e8b3c2..19d2a8f6b 100644 --- a/rta/reg_mod_autodialdll.py +++ b/rta/reg_mod_autodialdll.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters" value = "AutodialDLL" diff --git a/rta/reg_mod_base64_executable.py b/rta/reg_mod_base64_executable.py index 3b3bd2abc..43bcafd15 100644 --- a/rta/reg_mod_base64_executable.py +++ b/rta/reg_mod_base64_executable.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Test" value = "Base64" diff --git a/rta/reg_mod_builtindnsclientenabled.py b/rta/reg_mod_builtindnsclientenabled.py index ffc3bb434..701769a6e 100644 --- a/rta/reg_mod_builtindnsclientenabled.py +++ b/rta/reg_mod_builtindnsclientenabled.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Edge" value = "BuiltInDnsClientEnabled" diff --git a/rta/reg_mod_disable_uac.py b/rta/reg_mod_disable_uac.py index aa2753ea3..5b764d60c 100644 --- a/rta/reg_mod_disable_uac.py +++ b/rta/reg_mod_disable_uac.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" value = "EnableLUA" diff --git a/rta/reg_mod_disableantispyware.py b/rta/reg_mod_disableantispyware.py index f5461c92d..139bbd785 100644 --- a/rta/reg_mod_disableantispyware.py +++ b/rta/reg_mod_disableantispyware.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" value = "DisableAntiSpyware" diff --git a/rta/reg_mod_driver_blocklist.py b/rta/reg_mod_driver_blocklist.py index de04b2223..f48b4ebe9 100644 --- a/rta/reg_mod_driver_blocklist.py +++ b/rta/reg_mod_driver_blocklist.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Control\\CI\\Config" value = "VulnerableDriverBlocklistEnable" diff --git a/rta/reg_mod_enableat.py b/rta/reg_mod_enableat.py index 1347a4ae7..da6cfff3c 100644 --- a/rta/reg_mod_enableat.py +++ b/rta/reg_mod_enableat.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration" value = "EnableAt" diff --git a/rta/reg_mod_enablescriptblocklogging.py b/rta/reg_mod_enablescriptblocklogging.py index 84e72c6b6..5ec7161db 100644 --- a/rta/reg_mod_enablescriptblocklogging.py +++ b/rta/reg_mod_enablescriptblocklogging.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" value = "EnableScriptBlockLogging" diff --git a/rta/reg_mod_ifeo.py b/rta/reg_mod_ifeo.py index 0c727830a..7c4b6f154 100644 --- a/rta/reg_mod_ifeo.py +++ b/rta/reg_mod_ifeo.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temp Registry mod: IFEO") diff --git a/rta/reg_mod_lsa_ssp.py b/rta/reg_mod_lsa_ssp.py index 69f683033..ba34c6ab1 100644 --- a/rta/reg_mod_lsa_ssp.py +++ b/rta/reg_mod_lsa_ssp.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Control\\Lsa\\Security Packages" key2 = "SYSTEM\\ControlSet001\\Control\\Lsa" diff --git a/rta/reg_mod_netwire.py b/rta/reg_mod_netwire.py index ba99703b3..9ea64ee6b 100644 --- a/rta/reg_mod_netwire.py +++ b/rta/reg_mod_netwire.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Netwire RAT-like reg key...") diff --git a/rta/reg_mod_networkprovider.py b/rta/reg_mod_networkprovider.py index 3ea63f348..be2d0c924 100644 --- a/rta/reg_mod_networkprovider.py +++ b/rta/reg_mod_networkprovider.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Services\\Test\\NetworkProvider" value = "ProviderPath" diff --git a/rta/reg_mod_nullsessionpipes.py b/rta/reg_mod_nullsessionpipes.py index d49ad47ff..6a39cd31d 100644 --- a/rta/reg_mod_nullsessionpipes.py +++ b/rta/reg_mod_nullsessionpipes.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Modifying NullSessionPipes reg key...") diff --git a/rta/reg_mod_plugx.py b/rta/reg_mod_plugx.py index 4ff4f27f7..20a72fea8 100644 --- a/rta/reg_mod_plugx.py +++ b/rta/reg_mod_plugx.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a PlugX-like reg key...") diff --git a/rta/reg_mod_point_and_print_dll.py b/rta/reg_mod_point_and_print_dll.py index 3e31630af..214590001 100644 --- a/rta/reg_mod_point_and_print_dll.py +++ b/rta/reg_mod_point_and_print_dll.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\RTA" diff --git a/rta/reg_mod_port_forwarding.py b/rta/reg_mod_port_forwarding.py index 7cfb6efd3..b1fb79d92 100644 --- a/rta/reg_mod_port_forwarding.py +++ b/rta/reg_mod_port_forwarding.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\CurrentControlSet\\Services\\PortProxy\\v4tov4" value = "a" diff --git a/rta/reg_mod_print_processors.py b/rta/reg_mod_print_processors.py index b8191f1b0..e8f049bca 100644 --- a/rta/reg_mod_print_processors.py +++ b/rta/reg_mod_print_processors.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Control\\Print\\Monitors" value = "RTA" diff --git a/rta/reg_mod_remcos.py b/rta/reg_mod_remcos.py index 686d0cfde..1469310ab 100644 --- a/rta/reg_mod_remcos.py +++ b/rta/reg_mod_remcos.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating a Remcos RAT alike reg key...") diff --git a/rta/reg_mod_run_key_unusual_proc.py b/rta/reg_mod_run_key_unusual_proc.py index 5ab1736eb..3f4697c50 100644 --- a/rta/reg_mod_run_key_unusual_proc.py +++ b/rta/reg_mod_run_key_unusual_proc.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Windows\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/reg_mod_shadow_rdp.py b/rta/reg_mod_shadow_rdp.py index ecbb4baba..b6d678c1e 100644 --- a/rta/reg_mod_shadow_rdp.py +++ b/rta/reg_mod_shadow_rdp.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Modifying RDP Shadow reg key...") diff --git a/rta/reg_mod_shim_sb.py b/rta/reg_mod_shim_sb.py index 1f117f9d6..f3025cf40 100644 --- a/rta/reg_mod_shim_sb.py +++ b/rta/reg_mod_shim_sb.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom" value = "a.sdb" diff --git a/rta/reg_mod_startup_shell_folder.py b/rta/reg_mod_startup_shell_folder.py index 8f6b8abe5..0ef202897 100644 --- a/rta/reg_mod_startup_shell_folder.py +++ b/rta/reg_mod_startup_shell_folder.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" value = "Common Startup" diff --git a/rta/reg_mod_suspicious_service.py b/rta/reg_mod_suspicious_service.py index be4ba9de1..298c88662 100644 --- a/rta/reg_mod_suspicious_service.py +++ b/rta/reg_mod_suspicious_service.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\RTA" value = "ImagePath" diff --git a/rta/reg_mod_systemcertificates.py b/rta/reg_mod_systemcertificates.py index e348fabcd..03ebd4679 100644 --- a/rta/reg_mod_systemcertificates.py +++ b/rta/reg_mod_systemcertificates.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\Test" value = "Blob" diff --git a/rta/reg_mod_time_provider.py b/rta/reg_mod_time_provider.py index cfb11c0ea..29fddebdb 100644 --- a/rta/reg_mod_time_provider.py +++ b/rta/reg_mod_time_provider.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\ControlSet001\\Services\\W32Time\\TimeProviders" value = "Test" diff --git a/rta/reg_mod_unusual_startup_folder.py b/rta/reg_mod_unusual_startup_folder.py index 26accbb46..daef9d721 100644 --- a/rta/reg_mod_unusual_startup_folder.py +++ b/rta/reg_mod_unusual_startup_folder.py @@ -19,7 +19,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temp Registry mod: Common Startup Folder") diff --git a/rta/reg_mod_windir.py b/rta/reg_mod_windir.py index b5cb533a9..c5eceee68 100644 --- a/rta/reg_mod_windir.py +++ b/rta/reg_mod_windir.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "System\\Environment" value = "windir" diff --git a/rta/reg_run_key_asterisk.py b/rta/reg_run_key_asterisk.py index 4d3756836..c6a58b924 100644 --- a/rta/reg_run_key_asterisk.py +++ b/rta/reg_run_key_asterisk.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing registry key") diff --git a/rta/reg_vss_service_disable.py b/rta/reg_vss_service_disable.py index e87dd3c87..ee3f483c6 100644 --- a/rta/reg_vss_service_disable.py +++ b/rta/reg_vss_service_disable.py @@ -31,7 +31,7 @@ metadata = RtaMetadata( HIGHENTROPY = common.get_path("bin", "highentropy.txt") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SYSTEM\\CurrentControlSet\\Services\\VSS" value = "Start" diff --git a/rta/registry_hive_export.py b/rta/registry_hive_export.py index 5ba09b263..dfe074f96 100644 --- a/rta/registry_hive_export.py +++ b/rta/registry_hive_export.py @@ -8,11 +8,9 @@ # ATT&CK: TBD # Description: Exports the SAM, SECURITY and SYSTEM hives - useful in credential harvesting and discovery attacks. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="dfdcc4f4-5aca-486a-8115-b15b653b9b4f", @@ -31,10 +29,10 @@ metadata = RtaMetadata( REG = "reg.exe" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): for hive in ["sam", "security", "system"]: - filename = os.path.abspath("%s.reg" % hive) + filename = Path("%s.reg" % hive).resolve() common.log("Exporting %s hive to %s" % (hive, filename)) common.execute([REG, "save", "hkey_local_machine\\%s" % hive, filename]) common.remove_file(filename) diff --git a/rta/registry_persistence_create.py b/rta/registry_persistence_create.py index c22a7fde6..7a545b423 100644 --- a/rta/registry_persistence_create.py +++ b/rta/registry_persistence_create.py @@ -38,7 +38,7 @@ def pause(): time.sleep(0.5) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(TARGET_APP) def main(): common.log("Suspicious Registry Persistence") diff --git a/rta/registry_rdp_enable.py b/rta/registry_rdp_enable.py index ec75a9260..66488ec7a 100644 --- a/rta/registry_rdp_enable.py +++ b/rta/registry_rdp_enable.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Enabling RDP Through Registry") diff --git a/rta/regsvr32_scrobj.py b/rta/regsvr32_scrobj.py index 9c00bdc6a..b9534e439 100644 --- a/rta/regsvr32_scrobj.py +++ b/rta/regsvr32_scrobj.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): regsvr32 = "C:\\Users\\Public\\regsvr32.exe" common.copy_file(EXE_FILE, regsvr32) diff --git a/rta/regsvr32_unusual_args.py b/rta/regsvr32_unusual_args.py index 369f55872..c622432c9 100644 --- a/rta/regsvr32_unusual_args.py +++ b/rta/regsvr32_unusual_args.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "regsvr32.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/renamed_autoit.py b/rta/renamed_autoit.py index 048861cdf..295df368a 100644 --- a/rta/renamed_autoit.py +++ b/rta/renamed_autoit.py @@ -19,7 +19,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): autoit = "C:\\Users\\Public\\rta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/renamed_automaton_interpreter.py b/rta/renamed_automaton_interpreter.py index 8c2a4b9b9..2549779b0 100644 --- a/rta/renamed_automaton_interpreter.py +++ b/rta/renamed_automaton_interpreter.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): autohotkey = "C:\\Users\\Public\\notaut0hotkey.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/reverse_shell.py b/rta/reverse_shell.py index d02502663..6e6e06c61 100644 --- a/rta/reverse_shell.py +++ b/rta/reverse_shell.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing command to simulate reverse shell execution") diff --git a/rta/root_cert_install.py b/rta/root_cert_install.py index 659eb0d0c..02ff6a119 100644 --- a/rta/root_cert_install.py +++ b/rta/root_cert_install.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/security" diff --git a/rta/root_crontab_file_modification.py b/rta/root_crontab_file_modification.py index 39a086b4b..1bae7f7ea 100644 --- a/rta/root_crontab_file_modification.py +++ b/rta/root_crontab_file_modification.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing deletion on /private/var/at/tabs/root file.") diff --git a/rta/rubeus_alike_commandline.py b/rta/rubeus_alike_commandline.py index 375dfba61..77de4b327 100644 --- a/rta/rubeus_alike_commandline.py +++ b/rta/rubeus_alike_commandline.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/rundll32_inf_callback.py b/rta/rundll32_inf_callback.py index 1bc608dff..013485d7b 100644 --- a/rta/rundll32_inf_callback.py +++ b/rta/rundll32_inf_callback.py @@ -28,7 +28,7 @@ metadata = RtaMetadata( INF_FILE = common.get_path("bin", "script_launch.inf") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(INF_FILE) def main(): # http server will terminate on main thread exit diff --git a/rta/rundll32_javascript_callback.py b/rta/rundll32_javascript_callback.py index d2bb42aec..7a97a0ed1 100644 --- a/rta/rundll32_javascript_callback.py +++ b/rta/rundll32_javascript_callback.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("RunDLL32 with Javascript Callback") server, ip, port = common.serve_web() diff --git a/rta/rundll32_unusual_args.py b/rta/rundll32_unusual_args.py index 86d11f178..e393695a9 100644 --- a/rta/rundll32_unusual_args.py +++ b/rta/rundll32_unusual_args.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): source_dll = "C:\\Windows\\System32\\IEAdvpack.dll" dll = "C:\\Users\\Public\\IEAdvpack.dll" diff --git a/rta/rundll32_unusual_dll_extension.py b/rta/rundll32_unusual_dll_extension.py index 14af87ca2..c6ecc30a8 100644 --- a/rta/rundll32_unusual_dll_extension.py +++ b/rta/rundll32_unusual_dll_extension.py @@ -26,7 +26,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): rundll32 = "C:\\Users\\Public\\rundll32.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/schtask_escalation.py b/rta/schtask_escalation.py index 79f06cfef..69dc9bdd5 100644 --- a/rta/schtask_escalation.py +++ b/rta/schtask_escalation.py @@ -11,12 +11,10 @@ # signal.rule.name: Net command via SYSTEM account # ATT&CK: T1053 -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="1a61241e-5b1b-44ec-8c9f-3ae4652550be", @@ -35,12 +33,12 @@ def schtasks(*args, **kwargs): return common.execute(["schtasks.exe"] + list(args), **kwargs) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Scheduled Task Privilege Escalation") task_name = "test-task-rta" - file_path = os.path.abspath("task.log") + file_path = Path("task.log").resolve() command = "cmd.exe /c whoami.exe > " + file_path # Delete the task if it exists diff --git a/rta/schtasks_xml_masqueraded.py b/rta/schtasks_xml_masqueraded.py index 644daccb7..2d278e2bc 100644 --- a/rta/schtasks_xml_masqueraded.py +++ b/rta/schtasks_xml_masqueraded.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute Command common.log("Executing command to simulate the task creation (This will not create a task)") diff --git a/rta/scp_privacy_bypass.py b/rta/scp_privacy_bypass.py index ee0b387bd..0d020c7cf 100644 --- a/rta/scp_privacy_bypass.py +++ b/rta/scp_privacy_bypass.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/scp" diff --git a/rta/screensaver_child_process.py b/rta/screensaver_child_process.py index cea3e9c39..a3fbb91e4 100644 --- a/rta/screensaver_child_process.py +++ b/rta/screensaver_child_process.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/ScreenSaverEngine" diff --git a/rta/screensaver_plist_mod.py b/rta/screensaver_plist_mod.py index e382f0480..132df6e5a 100644 --- a/rta/screensaver_plist_mod.py +++ b/rta/screensaver_plist_mod.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/killall" diff --git a/rta/scrobj_com_hijack.py b/rta/scrobj_com_hijack.py index e1cd13a1d..8bf11f9b6 100644 --- a/rta/scrobj_com_hijack.py +++ b/rta/scrobj_com_hijack.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Classes\\CLSID\\{00000000-0000-0000-0000-0000DEADBEEF}" subkey = "InprocServer32" diff --git a/rta/secure_file_deletion.py b/rta/secure_file_deletion.py index 791f8386a..79bd6772b 100644 --- a/rta/secure_file_deletion.py +++ b/rta/secure_file_deletion.py @@ -6,10 +6,9 @@ import os import subprocess import tempfile +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="9cb42759-a161-4d93-b07d-3c8254dc8838", @@ -20,9 +19,9 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - temp_path = os.path.join(tempfile.gettempdir(), os.urandom(16).encode("hex")) + temp_path = Path(tempfile.gettempdir()) / os.urandom(16).encode("hex") sdelete_path = common.get_path("bin", "sdelete.exe") try: diff --git a/rta/security_authtrampoline.py b/rta/security_authtrampoline.py index 765a65677..7ffb57d67 100644 --- a/rta/security_authtrampoline.py +++ b/rta/security_authtrampoline.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/sensitive_file_access.py b/rta/sensitive_file_access.py index b55f34e2e..977d15878 100644 --- a/rta/sensitive_file_access.py +++ b/rta/sensitive_file_access.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( techniques=["T1555.004", "T1552.001", "T1003.003"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): diff --git a/rta/settingcontentms_files.py b/rta/settingcontentms_files.py index 6321154a2..da6beda8f 100644 --- a/rta/settingcontentms_files.py +++ b/rta/settingcontentms_files.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Write to AppData\Local\ common.execute(["cmd", "/c", "echo", "test", ">", "%APPDATA%\\test.SettingContent-ms"]) diff --git a/rta/sevenzip_encrypted.py b/rta/sevenzip_encrypted.py index 1fa3ce940..bb96230eb 100644 --- a/rta/sevenzip_encrypted.py +++ b/rta/sevenzip_encrypted.py @@ -9,12 +9,10 @@ # Description: Uses "bin\.exe" to perform encryption of archives and archive headers. import base64 -import os import sys +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="6cd35061-278b-45e7-a9cb-86b48bc47884", @@ -28,27 +26,27 @@ metadata = RtaMetadata( SEVENZIP = common.get_path("bin", "7za.exe") -def create_exfil(path=os.path.abspath("secret_stuff.txt")): +def create_exfil(path=Path("secret_stuff.txt").resolve()): common.log("Writing dummy exfil to %s" % path) with open(path, "wb") as f: f.write(base64.b64encode(b"This is really secret stuff\n" * 100)) return path -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SEVENZIP) def main(password="s0l33t"): # create 7z.exe with not-7zip name, and exfil - svnz2 = os.path.abspath("a.exe") + svnz2 = Path("a.exe").resolve() common.copy_file(SEVENZIP, svnz2) exfil = create_exfil() exts = ["7z", "zip", "gzip", "tar", "bz2", "bzip2", "xz"] - out_jpg = os.path.abspath("out.jpg") + out_jpg = Path("out.jpg").resolve() for ext in exts: # Write archive for each type - out_file = os.path.abspath("out." + ext) + out_file = Path("out." + ext).resolve() common.execute([svnz2, "a", out_file, "-p" + password, exfil], mute=True) common.remove_file(out_file) diff --git a/rta/shellcode_load_ws2_32_unbacked.py b/rta/shellcode_load_ws2_32_unbacked.py index 3782982a3..f2132b9a9 100644 --- a/rta/shellcode_load_ws2_32_unbacked.py +++ b/rta/shellcode_load_ws2_32_unbacked.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Inject shellcode into WerFault.exe to trigger diff --git a/rta/shellcode_winexec_calc.py b/rta/shellcode_winexec_calc.py index db1376370..6b8bce868 100644 --- a/rta/shellcode_winexec_calc.py +++ b/rta/shellcode_winexec_calc.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( techniques=["T1134", "T1055"], ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): diff --git a/rta/shlayer_payload.py b/rta/shlayer_payload.py index 909e69a11..a540c870a 100644 --- a/rta/shlayer_payload.py +++ b/rta/shlayer_payload.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/shortcut_file_suspicious_process.py b/rta/shortcut_file_suspicious_process.py index 9915efc16..3856258fa 100644 --- a/rta/shortcut_file_suspicious_process.py +++ b/rta/shortcut_file_suspicious_process.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Writing dummy shortcut file") shortcut_path = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\evil.lnk" diff --git a/rta/shove_sip_bypass.py b/rta/shove_sip_bypass.py index 947e6f47b..fa42eb1dd 100644 --- a/rta/shove_sip_bypass.py +++ b/rta/shove_sip_bypass.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sh" diff --git a/rta/signed_proxy_file_written_exec.py b/rta/signed_proxy_file_written_exec.py index 8bfe0e8b4..afd2d9396 100644 --- a/rta/signed_proxy_file_written_exec.py +++ b/rta/signed_proxy_file_written_exec.py @@ -33,7 +33,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/silentprocessexit_lsass.py b/rta/silentprocessexit_lsass.py index 4e78e438d..8f149c508 100644 --- a/rta/silentprocessexit_lsass.py +++ b/rta/silentprocessexit_lsass.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Temporarily creating LSA SilentProcessExit reg key...") diff --git a/rta/sip_provider.py b/rta/sip_provider.py index 82d9d570b..6d65ce0bc 100644 --- a/rta/sip_provider.py +++ b/rta/sip_provider.py @@ -55,7 +55,7 @@ else: TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP) def main(): common.log("Registering SIP provider") diff --git a/rta/smb_connection.py b/rta/smb_connection.py index b37de0726..4931b04c4 100644 --- a/rta/smb_connection.py +++ b/rta/smb_connection.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( SMB_PORT = 445 -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(ip=None): ip = ip or common.get_ip() diff --git a/rta/solarmaker_backdoor.py b/rta/solarmaker_backdoor.py index d6bb86041..4de1427b8 100644 --- a/rta/solarmaker_backdoor.py +++ b/rta/solarmaker_backdoor.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): reg = "C:\\Windows\\System32\\reg.exe" diff --git a/rta/spctl_gatekeeper_bypass.py b/rta/spctl_gatekeeper_bypass.py index 6b2644c46..eba2ac78b 100644 --- a/rta/spctl_gatekeeper_bypass.py +++ b/rta/spctl_gatekeeper_bypass.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/spctl" diff --git a/rta/special_chars_zip_file.py b/rta/special_chars_zip_file.py index c9492fdcc..718de02fa 100644 --- a/rta/special_chars_zip_file.py +++ b/rta/special_chars_zip_file.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Creating suspicious zip file with special characters to mimic evasion of sanboxed office apps.") diff --git a/rta/sqlite_db_evasion.py b/rta/sqlite_db_evasion.py index edbe2db9f..5fb8f12e3 100644 --- a/rta/sqlite_db_evasion.py +++ b/rta/sqlite_db_evasion.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sqlite3" diff --git a/rta/ssh_bruteforce.py b/rta/ssh_bruteforce.py index d9b23d16f..b5f717196 100644 --- a/rta/ssh_bruteforce.py +++ b/rta/ssh_bruteforce.py @@ -21,7 +21,7 @@ def test(masquerade, masquerade2): common.execute([masquerade2, "childprocess", masquerade], timeout=0.3, kill=True) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sshd-keygen-wrapper" diff --git a/rta/sticky_keys_write_execute.py b/rta/sticky_keys_write_execute.py index d80540c1e..af2643c3c 100644 --- a/rta/sticky_keys_write_execute.py +++ b/rta/sticky_keys_write_execute.py @@ -11,12 +11,10 @@ # ATT&CK: T1015 # Description: Writes different binaries into various accessibility locations. -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="398933ec-f8d4-4d81-93ed-e7d7adcb9d97", @@ -36,7 +34,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Prep bins = [ @@ -48,13 +46,13 @@ def main(): "displayswitch.exe", "atbroker.exe", ] - calc = os.path.abspath("\\windows\\system32\\calc.exe") - temp = os.path.abspath("temp.exe") + calc = Path("\\windows\\system32\\calc.exe").resolve() + temp = Path("temp.exe").resolve() # loop over bins for bin_name in bins: - bin_path = os.path.abspath("\\Windows\\system32\\" + bin_name) + bin_path = Path("\\Windows\\system32\\" + bin_name).resolve() # Back up bin common.copy_file(bin_path, temp) diff --git a/rta/sudo_exploit.py b/rta/sudo_exploit.py index 3dcd7349e..134e5a96c 100644 --- a/rta/sudo_exploit.py +++ b/rta/sudo_exploit.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log( "Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the " diff --git a/rta/susp_scheduled_task_creation.py b/rta/susp_scheduled_task_creation.py index 9f7159b0f..4e1bb16d5 100644 --- a/rta/susp_scheduled_task_creation.py +++ b/rta/susp_scheduled_task_creation.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): regsvr32 = "C:\\Users\\Public\\regsvr32.exe" common.copy_file(EXE_FILE, regsvr32) diff --git a/rta/susp_script_file_name.py b/rta/susp_script_file_name.py index 1f3322797..31ef516b5 100644 --- a/rta/susp_script_file_name.py +++ b/rta/susp_script_file_name.py @@ -27,7 +27,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mshta = "C:\\Users\\Public\\mshta.exe" rcedit = "C:\\Users\\Public\\rcedit.exe" diff --git a/rta/suspicious_bits_job_notify.py b/rta/suspicious_bits_job_notify.py index 878cc589f..43595c69d 100644 --- a/rta/suspicious_bits_job_notify.py +++ b/rta/suspicious_bits_job_notify.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" child = "C:\\Users\\Public\\child.exe" diff --git a/rta/suspicious_child_acrobat.py b/rta/suspicious_child_acrobat.py index 092ea967c..16712d38f 100644 --- a/rta/suspicious_child_acrobat.py +++ b/rta/suspicious_child_acrobat.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): acrobat = "C:\\Users\\Public\\Acrobat.exe" arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/suspicious_child_childless_process.py b/rta/suspicious_child_childless_process.py index 6ddd29237..91186789e 100644 --- a/rta/suspicious_child_childless_process.py +++ b/rta/suspicious_child_childless_process.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" rta = "C:\\Users\\Public\\rta.exe" diff --git a/rta/suspicious_child_compattelrunner.py b/rta/suspicious_child_compattelrunner.py index d8b71333b..46905a55a 100644 --- a/rta/suspicious_child_compattelrunner.py +++ b/rta/suspicious_child_compattelrunner.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): compattelrunner = "C:\\Users\\Public\\compattelrunner.exe" child = "C:\\Users\\Public\\child.exe" diff --git a/rta/suspicious_child_dns.py b/rta/suspicious_child_dns.py index 952b65138..bc684c327 100644 --- a/rta/suspicious_child_dns.py +++ b/rta/suspicious_child_dns.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dns = "C:\\Users\\Public\\dns.exe" common.copy_file(EXE_FILE, dns) diff --git a/rta/suspicious_child_exchange_um.py b/rta/suspicious_child_exchange_um.py index fa9666ac5..d8cbf2c7f 100644 --- a/rta/suspicious_child_exchange_um.py +++ b/rta/suspicious_child_exchange_um.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): umservice = "C:\\Users\\Public\\umservice.exe" common.copy_file(EXE_FILE, umservice) diff --git a/rta/suspicious_child_explorer.py b/rta/suspicious_child_explorer.py index 12c1af6de..73f37bbb1 100644 --- a/rta/suspicious_child_explorer.py +++ b/rta/suspicious_child_explorer.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" common.copy_file(EXE_FILE, explorer) diff --git a/rta/suspicious_child_services.py b/rta/suspicious_child_services.py index 7c65c7579..d01404593 100644 --- a/rta/suspicious_child_services.py +++ b/rta/suspicious_child_services.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): services = "C:\\Users\\Public\\services.exe" pwsh = "C:\\Users\\Public\\pwsh.exe" diff --git a/rta/suspicious_child_solarwinds_businesslayerhost.py b/rta/suspicious_child_solarwinds_businesslayerhost.py index 2dbfda204..71fabbb8b 100644 --- a/rta/suspicious_child_solarwinds_businesslayerhost.py +++ b/rta/suspicious_child_solarwinds_businesslayerhost.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): buzz = "C:\\Users\\Public\\SolarWinds.BusinessLayerHost.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_solarwindsdiagnostics.py b/rta/suspicious_child_solarwindsdiagnostics.py index dc1f0a74a..f0a0d347c 100644 --- a/rta/suspicious_child_solarwindsdiagnostics.py +++ b/rta/suspicious_child_solarwindsdiagnostics.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): solarwindsdiagnostics = "C:\\Users\\Public\\solarwindsdiagnostics.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_svchost_sch.py b/rta/suspicious_child_svchost_sch.py index dc00f1041..3ca3958a5 100644 --- a/rta/suspicious_child_svchost_sch.py +++ b/rta/suspicious_child_svchost_sch.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): svchost = "C:\\Users\\Public\\svchost.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/suspicious_child_wmiprvse.py b/rta/suspicious_child_wmiprvse.py index 8002b59b1..bf48690eb 100644 --- a/rta/suspicious_child_wmiprvse.py +++ b/rta/suspicious_child_wmiprvse.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmiprvse = "C:\\Users\\Public\\wmiprvse.exe" arp = "C:\\Windows\\System32\\arp.exe" diff --git a/rta/suspicious_child_zoom.py b/rta/suspicious_child_zoom.py index c3768ef4e..9e8f15d43 100644 --- a/rta/suspicious_child_zoom.py +++ b/rta/suspicious_child_zoom.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): zoom = "C:\\Users\\Public\\zoom.exe" pwsh = "C:\\Users\\Public\\pwsh.exe" diff --git a/rta/suspicious_dll_registration_regsvr32.py b/rta/suspicious_dll_registration_regsvr32.py index 0370a0516..98f986284 100644 --- a/rta/suspicious_dll_registration_regsvr32.py +++ b/rta/suspicious_dll_registration_regsvr32.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Suspicious DLL Registration by Regsvr32") diff --git a/rta/suspicious_lineage_script.py b/rta/suspicious_lineage_script.py index 951b77389..f498fe95d 100644 --- a/rta/suspicious_lineage_script.py +++ b/rta/suspicious_lineage_script.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cscript = "C:\\Users\\Public\\cscript.exe" explorer = "C:\\Users\\Public\\explorer.exe" diff --git a/rta/suspicious_msiexec_child.py b/rta/suspicious_msiexec_child.py index 88ebc5979..c63a13642 100644 --- a/rta/suspicious_msiexec_child.py +++ b/rta/suspicious_msiexec_child.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): msiexec = "C:\\Users\\Public\\msiexec.exe" regsvr32 = "C:\\Users\\Public\\regsvr32.exe" diff --git a/rta/suspicious_office_child.py b/rta/suspicious_office_child.py index 7d3053828..cc0537b07 100644 --- a/rta/suspicious_office_child.py +++ b/rta/suspicious_office_child.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): binary = "winword.exe" common.copy_file(EXE_FILE, binary) diff --git a/rta/suspicious_office_children.py b/rta/suspicious_office_children.py index f3fcb0627..0099d5eac 100644 --- a/rta/suspicious_office_children.py +++ b/rta/suspicious_office_children.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): cmd_path = "c:\\windows\\system32\\cmd.exe" diff --git a/rta/suspicious_office_descendant_fp.py b/rta/suspicious_office_descendant_fp.py index 6c1d902fe..51ba3b763 100644 --- a/rta/suspicious_office_descendant_fp.py +++ b/rta/suspicious_office_descendant_fp.py @@ -8,7 +8,7 @@ # ATT&CK: T1064 # Description: Generates various children processes from emulated Office processes. -import os +from pathlib import Path import time from . import common @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("MS Office unusual child process emulation") suspicious_apps = [ @@ -33,13 +33,13 @@ def main(): "wscript.exe //b", ] cmd_path = "c:\\windows\\system32\\cmd.exe" - browser_path = os.path.abspath("firefox.exe") + browser_path = Path("firefox.exe").resolve() common.copy_file(cmd_path, browser_path) for office_app in ["winword.exe", "excel.exe"]: common.log("Emulating %s" % office_app) - office_path = os.path.abspath(office_app) + office_path = Path(office_app).resolve() common.copy_file(cmd_path, office_path) for command in suspicious_apps: diff --git a/rta/suspicious_parent_cmd.py b/rta/suspicious_parent_cmd.py index e67bf7450..7bb16f08d 100644 --- a/rta/suspicious_parent_cmd.py +++ b/rta/suspicious_parent_cmd.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): logonui = "C:\\Users\\Public\\logonui.exe" cmd = "C:\\Windows\\System32\\cmd.exe" diff --git a/rta/suspicious_parent_csc.py b/rta/suspicious_parent_csc.py index d9ce4a253..959cf0495 100644 --- a/rta/suspicious_parent_csc.py +++ b/rta/suspicious_parent_csc.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wscript = "C:\\Users\\Public\\wscript.exe" csc = "C:\\Users\\Public\\csc.exe" diff --git a/rta/suspicious_parent_msbuild_explorer.py b/rta/suspicious_parent_msbuild_explorer.py index cd1216794..8f1cb2e6f 100644 --- a/rta/suspicious_parent_msbuild_explorer.py +++ b/rta/suspicious_parent_msbuild_explorer.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): explorer = "C:\\Users\\Public\\explorer.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_msbuild_office.py b/rta/suspicious_parent_msbuild_office.py index 56f0c3587..aa45b68ec 100644 --- a/rta/suspicious_parent_msbuild_office.py +++ b/rta/suspicious_parent_msbuild_office.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): excel = "C:\\Users\\Public\\excel.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_msbuild_script.py b/rta/suspicious_parent_msbuild_script.py index 0475f779a..b3016dbb2 100644 --- a/rta/suspicious_parent_msbuild_script.py +++ b/rta/suspicious_parent_msbuild_script.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Users\\Public\\powershell.exe" msbuild = "C:\\Users\\Public\\msbuild.exe" diff --git a/rta/suspicious_parent_sc.py b/rta/suspicious_parent_sc.py index b082c913d..90b141818 100644 --- a/rta/suspicious_parent_sc.py +++ b/rta/suspicious_parent_sc.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" sc = "C:\\Users\\Public\\sc.exe" diff --git a/rta/suspicious_parent_smss.py b/rta/suspicious_parent_smss.py index 1246e78c1..1f0691cd7 100644 --- a/rta/suspicious_parent_smss.py +++ b/rta/suspicious_parent_smss.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): smss = "C:\\Users\\Public\\smss.exe" conhost = "C:\\Users\\Public\\conhost.exe" diff --git a/rta/suspicious_powershell_download.py b/rta/suspicious_powershell_download.py index 61c26b059..c45d2ff41 100644 --- a/rta/suspicious_powershell_download.py +++ b/rta/suspicious_powershell_download.py @@ -3,12 +3,10 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="20b96aa7-609e-473f-ac35-5ac19d10f9a5", @@ -27,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = "http://{}:{}/bad.ps1".format(ip, port) @@ -37,7 +35,7 @@ def main(): # Emulate Word user_app = "winword.exe" common.log("Emulating {}".format(user_app)) - user_app_path = os.path.abspath(user_app) + user_app_path = Path(user_app).resolve() common.copy_file(EXE_FILE, user_app_path) common.execute([user_app_path, "/c", cmd]) diff --git a/rta/suspicious_wmic_script.py b/rta/suspicious_wmic_script.py index c8c3c6298..df1add08c 100644 --- a/rta/suspicious_wmic_script.py +++ b/rta/suspicious_wmic_script.py @@ -37,7 +37,7 @@ version="1.0"> """ -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Executing suspicious WMIC script") diff --git a/rta/suspicious_wscript_parent.py b/rta/suspicious_wscript_parent.py index 78004bdcd..9b8da04d9 100644 --- a/rta/suspicious_wscript_parent.py +++ b/rta/suspicious_wscript_parent.py @@ -9,12 +9,10 @@ # ATT&CK: T1064, T1192, T1193 # Description: WScript run with suspicious parent processes -import os import time +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="a3cdd478-b817-4513-bb3d-897a5f92c836", @@ -28,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): script_data = """ WScript.CreateObject("wscript.shell") @@ -41,7 +39,7 @@ def main(): for application in ["outlook.exe", "explorer.exe", "chrome.exe", "firefox.exe"]: common.log("Emulating %s" % application) - app_path = os.path.abspath(application) + app_path = Path(application).resolve() common.copy_file(cmd_path, app_path) common.execute([app_path, "/c", "wscript.exe", "script_path"], timeout=1, kill=True) diff --git a/rta/system_restore_process.py b/rta/system_restore_process.py index 9a23e2073..88ccf3238 100644 --- a/rta/system_restore_process.py +++ b/rta/system_restore_process.py @@ -8,11 +8,9 @@ # ATT&CK: T1158 # Description: Copies mock malware into the System Volume Information directory and executes. -import os - -from . import common -from . import RtaMetadata +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="0fcf5aeb-cebd-466d-8a2e-ddb710ec845d", @@ -26,7 +24,7 @@ metadata = RtaMetadata( SYSTEM_RESTORE = "c:\\System Volume Information" -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(): status = common.run_system() @@ -42,7 +40,7 @@ def main(): common.log("No writeable directories in System Restore. Exiting...", "-") return common.UNSUPPORTED_RTA - target_path = os.path.join(target_directory, "restore-process.exe") + target_path = Path(target_directory) / "restore-process.exe" common.copy_file(program_path, target_path) common.execute(target_path) diff --git a/rta/systemkey_credential_access.py b/rta/systemkey_credential_access.py index 3e611916f..130f335e1 100644 --- a/rta/systemkey_credential_access.py +++ b/rta/systemkey_credential_access.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/bash" diff --git a/rta/systemsetup_ssh_enable.py b/rta/systemsetup_ssh_enable.py index d973737f2..1b83056c2 100644 --- a/rta/systemsetup_ssh_enable.py +++ b/rta/systemsetup_ssh_enable.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/systemsetup" diff --git a/rta/tar_dylib.py b/rta/tar_dylib.py index afd862d20..3736cdedb 100644 --- a/rta/tar_dylib.py +++ b/rta/tar_dylib.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # Execute command" diff --git a/rta/tcc_bypass_mounted_apfs.py b/rta/tcc_bypass_mounted_apfs.py index 3e7104c86..6ecdf1300 100644 --- a/rta/tcc_bypass_mounted_apfs.py +++ b/rta/tcc_bypass_mounted_apfs.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/mount_apfs" diff --git a/rta/tcc_modification.py b/rta/tcc_modification.py index 733d4c316..92d35482f 100644 --- a/rta/tcc_modification.py +++ b/rta/tcc_modification.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/sqlite" diff --git a/rta/trust_provider.py b/rta/trust_provider.py index 8e7072d21..4d4d32b30 100644 --- a/rta/trust_provider.py +++ b/rta/trust_provider.py @@ -45,7 +45,7 @@ else: TARGET_APP = common.get_path("bin", "myapp.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(SIGCHECK, TRUST_PROVIDER_DLL, TARGET_APP) def main(): common.log("Trust Provider") diff --git a/rta/uac_cdssync.py b/rta/uac_cdssync.py index 5f3838524..f6c038c6c 100644 --- a/rta/uac_cdssync.py +++ b/rta/uac_cdssync.py @@ -3,10 +3,10 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata -import os +import shutil +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="7e9a94f4-46aa-45eb-b95b-53da7c01a033", @@ -26,21 +26,21 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" taskhostw = "C:\\Users\\Public\\taskhostw.exe" path = "C:\\Users\\Public\\System32" user32 = "C:\\Windows\\System32\\user32.dll" dll = path + "\\npmproxy.dll" - os.makedirs(path, exist_ok=True) + Path(path).mkdir(parents=True, exist_ok=True) common.copy_file(user32, dll) common.copy_file(EXE_FILE, taskhostw) common.log("Spawning PowerShell from fake taskhostw") common.execute([taskhostw, "/c", powershell], timeout=10, kill=True) common.remove_files(dll, taskhostw) - os.removedirs(path) + shutil.rmtree(path) if __name__ == "__main__": diff --git a/rta/uac_clipup.py b/rta/uac_clipup.py index da2bbabcb..716a063d3 100644 --- a/rta/uac_clipup.py +++ b/rta/uac_clipup.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dllhost = "C:\\Users\\Public\\dllhost.exe" clipup = "C:\\Users\\Public\\clipup.exe" diff --git a/rta/uac_computerdefaults.py b/rta/uac_computerdefaults.py index 0cb837c59..6f6a11c71 100644 --- a/rta/uac_computerdefaults.py +++ b/rta/uac_computerdefaults.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\ms-settings\\shell\\open\\command" value = "test" diff --git a/rta/uac_dccw.py b/rta/uac_dccw.py index 947318123..a3f956442 100644 --- a/rta/uac_dccw.py +++ b/rta/uac_dccw.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dccw = "C:\\Users\\Public\\dccw.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_diskcleanup.py b/rta/uac_diskcleanup.py index f111397c2..4e80a8078 100644 --- a/rta/uac_diskcleanup.py +++ b/rta/uac_diskcleanup.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" common.execute([powershell, "/autoclean", "/d"], timeout=2, kill=True) diff --git a/rta/uac_dism_dll_side_loading.py b/rta/uac_dism_dll_side_loading.py index 6beab774a..41b82d10f 100644 --- a/rta/uac_dism_dll_side_loading.py +++ b/rta/uac_dism_dll_side_loading.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dism = "C:\\Users\\Public\\Dism.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_eventviewer.py b/rta/uac_eventviewer.py index 33e216b87..865cebb06 100644 --- a/rta/uac_eventviewer.py +++ b/rta/uac_eventviewer.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( # %SystemRoot%\system32\mmc.exe "%1" %* -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(target_file=common.get_path("bin", "myapp.exe")): winreg = common.get_winreg() common.log("Bypass UAC with %s" % target_file) diff --git a/rta/uac_eventvwr.py b/rta/uac_eventvwr.py index 6c5bfa9cc..30811d440 100644 --- a/rta/uac_eventvwr.py +++ b/rta/uac_eventvwr.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): eventvwr = "C:\\Users\\Public\\eventvwr.exe" powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/uac_fodhelper.py b/rta/uac_fodhelper.py index 86fe0f002..55734e793 100644 --- a/rta/uac_fodhelper.py +++ b/rta/uac_fodhelper.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\ms-settings\\shell\\open\\command" value = "test" diff --git a/rta/uac_icmluautil.py b/rta/uac_icmluautil.py index 6605c6fc2..fefccdd13 100644 --- a/rta/uac_icmluautil.py +++ b/rta/uac_icmluautil.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): dllhost = "C:\\Users\\Public\\dllhost.exe" common.copy_file(EXE_FILE, dllhost) diff --git a/rta/uac_mmc_deserialization.py b/rta/uac_mmc_deserialization.py index 219617c1d..f2cc8f8c5 100644 --- a/rta/uac_mmc_deserialization.py +++ b/rta/uac_mmc_deserialization.py @@ -3,10 +3,10 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -from . import common -from . import RtaMetadata import os +from pathlib import Path +from . import RtaMetadata, common metadata = RtaMetadata( uuid="1d486055-38f8-4cf3-aec1-7f4f72d73fb2", @@ -24,20 +24,20 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): appdata = os.getenv("LOCALAPPDATA") - path = appdata + "\\Microsoft\\Event Viewer" - recentfiles = path + "\\RecentViews" + path = Path(appdata) / "\\Microsoft\\Event Viewer" + recentfiles = path / "\\RecentViews" - if os.path.exists(path): + if path.is_dir(): common.copy_file(EXE_FILE, recentfiles) common.remove_file(recentfiles) else: - os.mkdir(path) + path.mkdir() common.copy_file(EXE_FILE, recentfiles) common.remove_file(recentfiles) - os.rmdir(path) + path.rmdir() if __name__ == "__main__": diff --git a/rta/uac_mmc_hijack.py b/rta/uac_mmc_hijack.py index 7cbff6458..878615ca4 100644 --- a/rta/uac_mmc_hijack.py +++ b/rta/uac_mmc_hijack.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mmc = "C:\\Users\\Public\\mmc.exe" msc = "C:\\Users\\Public\\a.msc" diff --git a/rta/uac_mmc_net_core_profiler.py b/rta/uac_mmc_net_core_profiler.py index 86f572004..d422b884e 100644 --- a/rta/uac_mmc_net_core_profiler.py +++ b/rta/uac_mmc_net_core_profiler.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Environment" value = "COR_PROFILER_PATH" diff --git a/rta/uac_sdclt.py b/rta/uac_sdclt.py index 309be5580..6aa2ed8d5 100644 --- a/rta/uac_sdclt.py +++ b/rta/uac_sdclt.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): sdclt = "C:\\Users\\Public\\sdclt.exe" common.copy_file(EXE_FILE, sdclt) diff --git a/rta/uac_sysprep.py b/rta/uac_sysprep.py index 38e637774..5fd9bbdb1 100644 --- a/rta/uac_sysprep.py +++ b/rta/uac_sysprep.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Bypass UAC with CRYPTBASE.dll") diff --git a/rta/uac_windir_masq.py b/rta/uac_windir_masq.py index 85925a21e..f4cf8e715 100644 --- a/rta/uac_windir_masq.py +++ b/rta/uac_windir_masq.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" common.copy_file(EXE_FILE, proc) diff --git a/rta/uac_windows_activation.py b/rta/uac_windows_activation.py index 2bb11917e..c65076d2c 100644 --- a/rta/uac_windows_activation.py +++ b/rta/uac_windows_activation.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software\\Classes\\Launcher.SystemSettings\\shell\\open\\command" value = "test" diff --git a/rta/uac_winfw_mmc.py b/rta/uac_winfw_mmc.py index dc4a90bb7..8e71dcabe 100644 --- a/rta/uac_winfw_mmc.py +++ b/rta/uac_winfw_mmc.py @@ -30,7 +30,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): mmc = "C:\\Users\\Public\\mmc.exe" dllhost = "C:\\Users\\Public\\dllhost.exe" diff --git a/rta/uac_wow64log.py b/rta/uac_wow64log.py index 9fa0ec345..14618f6f2 100644 --- a/rta/uac_wow64log.py +++ b/rta/uac_wow64log.py @@ -24,7 +24,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/uac_wsreset.py b/rta/uac_wsreset.py index 8f8e8d8e0..33324f6ca 100644 --- a/rta/uac_wsreset.py +++ b/rta/uac_wsreset.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "Software" value = "ms-windows-store" diff --git a/rta/uncommon_persistence.py b/rta/uncommon_persistence.py index 29b0daa5b..a1d3a97d0 100644 --- a/rta/uncommon_persistence.py +++ b/rta/uncommon_persistence.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" value = "Common Startup" diff --git a/rta/unshadow_execution.py b/rta/unshadow_execution.py index 3b5c4f89e..c2f6d23af 100644 --- a/rta/unshadow_execution.py +++ b/rta/unshadow_execution.py @@ -27,7 +27,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/unshadow" diff --git a/rta/unsigned_startup_item_netconn.py b/rta/unsigned_startup_item_netconn.py index d180a7039..97463f24a 100644 --- a/rta/unsigned_startup_item_netconn.py +++ b/rta/unsigned_startup_item_netconn.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/unusual_kerberos_client.py b/rta/unusual_kerberos_client.py index a43e2633d..e355c2f83 100644 --- a/rta/unusual_kerberos_client.py +++ b/rta/unusual_kerberos_client.py @@ -27,7 +27,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/unusual_ms_tool_network.py b/rta/unusual_ms_tool_network.py index c94443c32..55428e5c2 100644 --- a/rta/unusual_ms_tool_network.py +++ b/rta/unusual_ms_tool_network.py @@ -9,12 +9,11 @@ # Description: Creates network traffic from a process which is named to match common administration and developer tools # that do not typically make network traffic unless being used maliciously. -import os import shutil import sys +from pathlib import Path -from . import common -from . import RtaMetadata +from . import RtaMetadata, common if sys.version_info > (3,): urlliblib = "urllib.request" @@ -53,7 +52,7 @@ process_names = [ def http_from_process(name, ip, port): - path = os.path.join(common.BASE_DIR, name) + path = Path(common.BASE_DIR) / name common.log("Making HTTP GET from %s" % path) shutil.copy(sys.executable, path) common.execute( @@ -66,7 +65,7 @@ def http_from_process(name, ip, port): common.remove_file(path) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() diff --git a/rta/unusual_parent_child.py b/rta/unusual_parent_child.py index 160a378c7..e451fcffe 100644 --- a/rta/unusual_parent_child.py +++ b/rta/unusual_parent_child.py @@ -9,12 +9,10 @@ # ATT&CK: T1093 # Description: Runs several Windows core processes directly, instead of from the proper parent in Windows. -import os import sys +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="6cf12026-f99f-4e5c-8cd4-3dbc7bce3e67", @@ -25,9 +23,9 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): - common.log("Running Windows processes with an unexpected parent of %s" % os.path.basename(sys.executable)) + common.log("Running Windows processes with an unexpected parent of %s" % Path(sys.executable).name) process_names = [ # "C:\\Windows\\System32\\smss.exe", BSOD (avoid this) # "C:\\Windows\\System32\\csrss.exe", BSOD (avoid this) @@ -42,7 +40,7 @@ def main(): for process in process_names: # taskhostw.exe isn't on all versions of windows - if os.path.exists(process): + if Path(process).is_file(): common.execute([process], timeout=2, kill=True) else: common.log("Skipping %s" % process, "-") diff --git a/rta/unusual_parent_chrome_extension.py b/rta/unusual_parent_chrome_extension.py index a011dd6ab..d532292aa 100644 --- a/rta/unusual_parent_chrome_extension.py +++ b/rta/unusual_parent_chrome_extension.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): proc = "C:\\Users\\Public\\proc.exe" childproc = "C:\\Users\\Public\\childproc.exe" diff --git a/rta/unusual_powershell_engine_image_load.py b/rta/unusual_powershell_engine_image_load.py index b6ac4ac2a..cc5983718 100644 --- a/rta/unusual_powershell_engine_image_load.py +++ b/rta/unusual_powershell_engine_image_load.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\posh.exe" diff --git a/rta/unusual_rdp_client.py b/rta/unusual_rdp_client.py index 42db9adc4..1e1b692c9 100644 --- a/rta/unusual_rdp_client.py +++ b/rta/unusual_rdp_client.py @@ -21,7 +21,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\posh.exe" diff --git a/rta/unzip_to_tmp.py b/rta/unzip_to_tmp.py index 917b47ddc..ddda2e847 100644 --- a/rta/unzip_to_tmp.py +++ b/rta/unzip_to_tmp.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/Users/bash" diff --git a/rta/user_action_script.py b/rta/user_action_script.py index a4b8fab4c..8113d650d 100644 --- a/rta/user_action_script.py +++ b/rta/user_action_script.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): # create masquerades diff --git a/rta/user_dir_escalation.py b/rta/user_dir_escalation.py index 34882c0db..cafcab9cf 100644 --- a/rta/user_dir_escalation.py +++ b/rta/user_dir_escalation.py @@ -9,10 +9,9 @@ # Description: Spawns mock malware written to a regular user directory and executes as System. import os +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="dc734786-66bd-4be6-bd06-eb41fa7b6745", @@ -23,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(common.PS_EXEC) def main(): # make sure path is absolute for psexec @@ -35,10 +34,10 @@ def main(): source_path = common.get_path("bin", "myapp.exe") target_directory = "c:\\users\\fake_user_rta-%d" % os.getpid() - if not os.path.exists(target_directory): - os.makedirs(target_directory) + if not Path(target_directory).is_dir(): + Path(target_directory).mkdir(parents=True) - target_path = os.path.join(target_directory, "user_file.exe") + target_path = Path(target_directory) / "user_file.exe" common.copy_file(source_path, target_path) common.execute([target_path]) diff --git a/rta/user_mode_smb_connection.py b/rta/user_mode_smb_connection.py index 891ed451d..4690aeeff 100644 --- a/rta/user_mode_smb_connection.py +++ b/rta/user_mode_smb_connection.py @@ -21,7 +21,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" posh = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\posh.exe" diff --git a/rta/vaultcmd_commands.py b/rta/vaultcmd_commands.py index 69aad84bb..67cf397eb 100644 --- a/rta/vaultcmd_commands.py +++ b/rta/vaultcmd_commands.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Searching Credential Vaults via VaultCmd") diff --git a/rta/webproxy_modification.py b/rta/webproxy_modification.py index 145b7bf0a..934ee03e7 100644 --- a/rta/webproxy_modification.py +++ b/rta/webproxy_modification.py @@ -16,7 +16,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/networksetup" diff --git a/rta/webservice_lolbas.py b/rta/webservice_lolbas.py index 0bbba801e..4974f9fe8 100644 --- a/rta/webservice_lolbas.py +++ b/rta/webservice_lolbas.py @@ -25,7 +25,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" diff --git a/rta/webservice_unsigned.py b/rta/webservice_unsigned.py index d6a025c9e..4389660dd 100644 --- a/rta/webservice_unsigned.py +++ b/rta/webservice_unsigned.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): posh = "C:\\Users\\Public\\posh.exe" common.copy_file(EXE_FILE, posh) diff --git a/rta/werfault_masquerading.py b/rta/werfault_masquerading.py index c37f52f24..916dcc947 100644 --- a/rta/werfault_masquerading.py +++ b/rta/werfault_masquerading.py @@ -20,7 +20,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "regsvr32.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): werfault = "C:\\Users\\Public\\werfault.exe" diff --git a/rta/werfault_persistence.py b/rta/werfault_persistence.py index 06f729786..2559d51cf 100644 --- a/rta/werfault_persistence.py +++ b/rta/werfault_persistence.py @@ -26,7 +26,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP) def main(): reg_key = "'HKLM:\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\hangs'" diff --git a/rta/wevtutil_log_clear.py b/rta/wevtutil_log_clear.py index 820258ed2..fad12fcc0 100644 --- a/rta/wevtutil_log_clear.py +++ b/rta/wevtutil_log_clear.py @@ -24,7 +24,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("Clearing Windows Event Logs") common.log("WARNING - About to clear logs from Windows Event Viewer", log_type="!") diff --git a/rta/windefend_svc_stop.py b/rta/windefend_svc_stop.py index 0dafb8ce4..8fe208a79 100644 --- a/rta/windefend_svc_stop.py +++ b/rta/windefend_svc_stop.py @@ -22,7 +22,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): powershell = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" tempshell = "C:\\Users\\Public\\powershell.exe" diff --git a/rta/windows_script_host_file_written_exec.py b/rta/windows_script_host_file_written_exec.py index d3bd19fd8..d6577a66a 100644 --- a/rta/windows_script_host_file_written_exec.py +++ b/rta/windows_script_host_file_written_exec.py @@ -29,7 +29,7 @@ metadata = RtaMetadata( EXE_FILE = common.get_path("bin", "renamed_posh.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): server, ip, port = common.serve_web() url = f"http://{ip}:{port}/bin/renamed_posh.exe" diff --git a/rta/winrar_encrypted.py b/rta/winrar_encrypted.py index 18669ded0..1736d4261 100644 --- a/rta/winrar_encrypted.py +++ b/rta/winrar_encrypted.py @@ -9,12 +9,10 @@ # Description: Uses "bin\rar.exe" to perform encryption of archives and archive headers. import base64 -import os import sys +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="6d2d3c21-2d71-4395-8ab7-b1d0138d9225", @@ -29,14 +27,14 @@ MY_APP = common.get_path("bin", "myapp.exe") WINRAR = common.get_path("bin", "Rar.exe") -def create_exfil(path=os.path.abspath("secret_stuff.txt")): +def create_exfil(path=Path("secret_stuff.txt").resolve()): common.log("Writing dummy exfil to %s" % path) with open(path, "wb") as f: f.write(base64.b64encode(b"This is really secret stuff" * 100)) return path -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) @common.dependencies(MY_APP, WINRAR) def main(password="s0l33t"): # Copies of the rar.exe for various tests @@ -44,15 +42,15 @@ def main(password="s0l33t"): common.patch_file(WINRAR, b"win.rar GmbH", b"bad.bad GmbH", winrar_bin_modsig) # Renamed copies of executables - winrar_bin_modsig_a = os.path.abspath("a.exe") - winrar_bin_b = os.path.abspath("b.exe") + winrar_bin_modsig_a = Path("a.exe").resolve() + winrar_bin_b = Path("b.exe").resolve() common.copy_file(winrar_bin_modsig, winrar_bin_modsig_a) common.copy_file(WINRAR, winrar_bin_b) # Output options for various tests - rar_file = os.path.abspath("out.rar") - rar_file_jpg = os.path.abspath("out.jpg") + rar_file = Path("out.rar").resolve() + rar_file_jpg = Path("out.jpg").resolve() common.remove_files(rar_file, rar_file_jpg) # use case: rar with -hp to generate new rar file w/ .rar diff --git a/rta/winrar_startup_folder.py b/rta/winrar_startup_folder.py index 7fd825ae5..ff5c7fc4c 100644 --- a/rta/winrar_startup_folder.py +++ b/rta/winrar_startup_folder.py @@ -9,10 +9,9 @@ # Description: Writes batch file into Windows Startup folder using process ancestry tied to exploit (CVE-2018-20250) import os +from pathlib import Path -from . import common -from . import RtaMetadata - +from . import RtaMetadata, common metadata = RtaMetadata( uuid="6d2d3c21-2d71-4395-8ab7-b1d0138d9225", @@ -23,11 +22,11 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): common.log("WinRAR StartUp Folder Persistence") - win_rar_path = os.path.abspath("WinRAR.exe") - ace_loader_path = os.path.abspath("Ace32Loader.exe") + win_rar_path = Path("WinRAR.exe").resolve() + ace_loader_path = Path("Ace32Loader.exe").resolve() batch_file_path = "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mssconf.bat" startup_path = os.environ["USERPROFILE"] + batch_file_path common.copy_file("C:\\Windows\\System32\\cmd.exe", win_rar_path) diff --git a/rta/wizardupdate_infection.py b/rta/wizardupdate_infection.py index 5f3476c07..4d7c00a48 100644 --- a/rta/wizardupdate_infection.py +++ b/rta/wizardupdate_infection.py @@ -18,7 +18,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/curl" diff --git a/rta/wmi_incoming_logon.py b/rta/wmi_incoming_logon.py index 5175a8d1c..417b23117 100644 --- a/rta/wmi_incoming_logon.py +++ b/rta/wmi_incoming_logon.py @@ -23,7 +23,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(remote_host=None): if not remote_host: common.log("A remote host is required to detonate this RTA", "!") diff --git a/rta/wmic_xsl_exec.py b/rta/wmic_xsl_exec.py index dc1235c80..bbefca2de 100644 --- a/rta/wmic_xsl_exec.py +++ b/rta/wmic_xsl_exec.py @@ -22,7 +22,7 @@ EXE_FILE = common.get_path("bin", "renamed_posh.exe") PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wmic = "C:\\Users\\Public\\wmic.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/wuauclt_image_load.py b/rta/wuauclt_image_load.py index 033421a87..4e83cf6e0 100644 --- a/rta/wuauclt_image_load.py +++ b/rta/wuauclt_image_load.py @@ -28,7 +28,7 @@ PS1_FILE = common.get_path("bin", "Invoke-ImageLoad.ps1") RENAMER = common.get_path("bin", "rcedit-x64.exe") -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): wuauclt = "C:\\Users\\Public\\wuauclt.exe" user32 = "C:\\Windows\\System32\\user32.dll" diff --git a/rta/xcsset_infection.py b/rta/xcsset_infection.py index eeeeba60a..9adf70e44 100644 --- a/rta/xcsset_infection.py +++ b/rta/xcsset_infection.py @@ -17,7 +17,7 @@ metadata = RtaMetadata( ) -@common.requires_os(metadata.platforms) +@common.requires_os(*metadata.platforms) def main(): masquerade = "/tmp/zip" diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/_deprecated/command_and_control_linux_iodine_activity.toml similarity index 75% rename from rules/linux/command_and_control_linux_iodine_activity.toml rename to rules/_deprecated/command_and_control_linux_iodine_activity.toml index 871926ebc..175ce0171 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/_deprecated/command_and_control_linux_iodine_activity.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2020/02/18" +deprecation_date = "2023/09/25" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/25" +updated_date = "2023/09/25" [rule] author = ["Elastic"] @@ -23,27 +24,37 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Deprecated - Potential DNS Tunneling via Iodine" -note = """This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule.""" +note = "This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule." references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" + query = ''' event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml new file mode 100644 index 000000000..9a4eec122 --- /dev/null +++ b/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml @@ -0,0 +1,137 @@ +[metadata] +creation_date = "2023/06/26" +deprecation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "deprecated" +min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2023/09/25" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to +inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious +shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common +and will potentially indicate malicious or suspicious behavior. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable" +note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule. +## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click Add integrations. +- In the query bar, search for Elastic Defend and select the integration to see more details about it. +- Click Add Elastic Defend. +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click Save and Continue. +- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Elastic Defend integration does not collect environment variable logging by default. +In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. + #### To set up environment variable capture for an Elastic Agent policy: +- Go to Security → Manage → Policies. +- Select an Elastic Agent policy. +- Click Show advanced settings. +- Scroll down or search for linux.advanced.capture_env_vars. +- Enter the names of env vars you want to capture, separated by commas. +- For this rule the linux.advanced.capture_env_vars variable should be set to "LD_PRELOAD,LD_LIBRARY_PATH". +- Click Save. +After saving the integration change, the Elastic Agents running this policy will be updated and +the rule will function properly. +For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). + +""" +references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"] +risk_score = 21 +rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index 5ff9158c8..628f73226 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/20" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -38,27 +38,49 @@ sequence by host.id, process.entity_id with maxspan=30s /* Look for Google Drive download URL with AV flag skipping */ (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*") -] + + /* ignore trusted processes */ + and not ( + process.code_signature.trusted == true and + process.code_signature.subject_name: + ("Mozilla Corporation", + "Google LLC", + "Google Inc", + "Bitdefender SRL", + "Microsoft Corporation", + "Netskope, Inc.", + "Avast Software s.r.o.", + "Microsoft Windows", + "AVG Technologies USA, LLC", + "Symantec Corporation", + "Trend Micro, Inc.", + "Palo Alto Networks (Netherlands) B.V.", + "Docker Inc")) + + /* ignore common benign processes */ + and not process.executable: + ("/bin/terraform", + "*/bin/dockerd", + "/usr/local/bin/docker-init", + "*/bin/go", + "?:\\Program Files*\\Mozilla Firefox\firefox.exe", + "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe") + + /* ignore shellscripts + go install from legitimate repository*/ + and not (process.executable == "/bin/sh" and process.args : "go install google.golang.org*")] [network where /* Look for DNS requests for Google Drive */ (dns.question.name : "drive.google.com" and dns.question.type : "A") or /* Look for connection attempts to address that resolves to Google */ - (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted") - - /* NOTE: Add LoLBins if tuning is required - process.name : ( - "cmd.exe", "bitsadmin.exe", "certutil.exe", "esentutl.exe", "wmic.exe", "PowerShell.exe", - "homedrive.exe","regsvr32.exe", "mshta.exe", "rundll32.exe", "cscript.exe", "wscript.exe", - "curl", "wget", "scp", "ftp", "python", "perl", "ruby"))] */ -] + (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")] /* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */ -[file where event.action == "creation" and file.extension : ( - "exe", "dll", "scr", "jar", "pif", "app", "dmg", "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk" - ) -] +[file where event.action == "creation" and + file.extension : + ("exe", "dll", "scr", "jar", "pif", "app", "dmg", + "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk")] ''' diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index 9ab2adb5f..b863a6bf6 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -30,31 +30,36 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "OS: macOS", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[process where event.action == "exec" and process.name:"ssh"] -[network where process.name:"ssh" - and event.action in ("connection_attempted", "connection_accepted") - and destination.port != 22 - and destination.ip != "127.0.0.1" - and network.transport: "tcp" -] + [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in ( + "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", + "run" + ) + ] + [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and + destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" + ] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 5c3412363..8d37071c2 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -20,10 +20,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", @@ -32,6 +28,14 @@ references = [ ] risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 9c8e3f776..9d539247b 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows. language = "eql" license = "Elastic License v2" name = "WebServer Access Logs Deleted" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 89b2d8552..2abe70f7c 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Tampering of Bash Command-Line History" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index e1e835acc..1597275d0 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" integration = ["endpoint"] [rule] @@ -19,12 +19,16 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Elastic Agent Service Terminated" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index eb6c35024..4bfa53570 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -20,15 +20,19 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Masquerading Space After Filename" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading", ] risk_score = 47 rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index b0069f9a4..b4dd010d2 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Timestomping using Touch Command" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 902e64eb4..4e9d9c1c8 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -48,14 +48,27 @@ This rule looks for the execution of the `grep` utility with arguments compatibl - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -94,25 +107,32 @@ process.name : "grep" and user.id != "0" and "osquery*", "elastic-endpoint*" ) and - not (process.args : "Avast" and process.args : "Passwords") + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 240ed694d..67dd4291b 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -24,13 +24,17 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Virtual Machine Fingerprinting via Grep" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://objective-see.com/blog/blog_0x4F.html"] risk_score = 47 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 197752e72..fc32f00c2 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -2,7 +2,9 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "development" -updated_date = "2023/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -16,12 +18,16 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Python Script Execution via Command Line" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 191145340..aee9c12c8 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -46,9 +46,6 @@ This rule identifies commands that are potentially related to reverse shell acti - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", @@ -57,8 +54,24 @@ references = [ ] risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -69,21 +82,21 @@ process where event.type in ("start", "process_started") and /* noisy FPs */ not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and - not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and not process.parent.command_line : "runc init" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index e0cdafbb3..7afbcbd6c 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/19" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious JAVA Child Process" note = """## Triage and analysis @@ -46,9 +46,6 @@ This rule identifies a suspicious child process of the Java interpreter process. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", @@ -59,33 +56,56 @@ references = [ ] risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where event.type in ("start", "process_started") and - process.parent.name : "java" and - process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 033920b2e..fd91d3d57 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -50,15 +50,21 @@ This rule identifies modifications in the hosts file across multiple operating s - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" +setup=""" + +For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" @@ -73,7 +79,8 @@ any where miss this, which is the purpose of the process + command line args logic below */ ( event.category == "file" and event.type in ("change", "creation") and - file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and + not process.name in ("dockerd", "rootlesskit", "podman", "crio") ) or @@ -81,26 +88,25 @@ any where ( event.category == "process" and event.type in ("start") and process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and - process.args : ("/etc/hosts") + process.args : ("/etc/hosts") and + not process.parent.name in ("dhclient-script", "google_set_hostname") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index d07b08dd5..77bc8731a 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,15 +18,15 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Zoom Meeting with no Passcode" -note = """## Setup - -The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" references = [ "https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic", ] risk_score = 47 rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba" +setup = """ + +The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" severity = "medium" tags = [ "Data Source: Zoom", diff --git a/rules/cross-platform/lateral_movement_malicious_remote_file_creation.toml b/rules/cross-platform/lateral_movement_malicious_remote_file_creation.toml new file mode 100644 index 000000000..0ff8be9bd --- /dev/null +++ b/rules/cross-platform/lateral_movement_malicious_remote_file_creation.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +author = ["Elastic"] +description = "Malicious remote file creation, which can be an indicator of lateral movement activity." +from = "now-10m" +index = ["logs-endpoint.events.*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Malicious Remote File Creation" +references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] +risk_score = 99 +rule_id = "301571f3-b316-4969-8dd0-7917410030d3" +severity = "critical" +tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +type = "eql" + +query = ''' +sequence by host.name +[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] +[file where event.category == "malware" or event.category == "intrusion_detection" +and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml b/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml new file mode 100644 index 000000000..59cd85aff --- /dev/null +++ b/rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +author = ["Elastic"] +description = """ +Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these +directories could indicate a malicious binary or script trying to compromise the system. +""" +from = "now-10m" +index = ["logs-endpoint.events.*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Remote File Creation on a Sensitive Directory" +references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] +risk_score = 47 +rule_id = "2377946d-0f01-4957-8812-6878985f515d" +severity = "medium" +tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where (event.action == "creation" or event.action == "modification") and +process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not +user.name:("SYSTEM", "root") and +(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*", + "C*\\Windows\\*", "C*\\Windows\\System\\*", + "C*\\Windows\\System32\\*", "/etc/*", "/tmp*", + "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", + "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", + "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", + "/lib/systemd/*" + ) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 31f1f7479..b81101419 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -29,9 +29,16 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:change and @@ -40,19 +47,11 @@ event.category:file and event.type:change and (* and not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or /usr/libexec/packagekitd or - /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew or - /usr/bin/rsync or - /usr/bin/yum or - /var/lib/docker/*/bin/yum or - /var/lib/docker/*/bin/dpkg or - ./merged/var/lib/docker/*/bin/dpkg or "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" ) ) and @@ -62,32 +61,45 @@ event.category:file and event.type:change and /tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or /tmp/newroot/usr/lib64/security/pam_*.so + ) and + not process.name: + ( + yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or + dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or + systemd or containerd or pacman ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 0cb0b70d9..da32aff27 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -24,26 +24,22 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:file and event.type:change and - process.name:(* and not (sudo or - vim or - zsh or - env or - nano or - bash or - Terminal or - xpcproxy or - login or - cat or - cp or - launchctl or - java)) and - not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and + process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or + launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or + dnf-automatic or git or dpkg or platform-python)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or @@ -55,22 +51,20 @@ event.category:file and event.type:change and /Users/*/.zshenv) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index b6e6fbf20..3ad311540 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -20,9 +20,16 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:(change or creation) and @@ -42,13 +49,14 @@ event.category:file and event.type:(change or creation) and /opt/jc/bin/jumpcloud-agent) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" @@ -59,14 +67,14 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" + [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" @@ -76,6 +84,7 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" @@ -85,3 +94,11 @@ reference = "https://attack.mitre.org/techniques/T1021/004/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 36967a399..7320c3562 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" [rule] author = ["Elastic"] @@ -22,28 +22,34 @@ rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 33b1f3a77..9a1a5953b 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/06/27" +updated_date = "2023/10/19" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -100,11 +100,6 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). - -More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -113,6 +108,15 @@ references = [ ] risk_score = 99 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64" +setup=""" + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). +""" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index bc87591b0..7a407d297 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/08/23" +updated_date = "2023/10/19" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -99,11 +99,6 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). - -More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -112,6 +107,15 @@ references = [ ] risk_score = 99 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca" +setup=""" + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). +""" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 0544553c9..6ced44d9d 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/06/27" +updated_date = "2023/10/19" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -94,11 +94,6 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). - -More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -107,6 +102,15 @@ references = [ ] risk_score = 99 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60" +setup=""" + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). +""" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 548dcb99a..9fbb7f9ea 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/07/24" +updated_date = "2023/10/19" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -103,11 +103,6 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). - -More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", @@ -116,6 +111,15 @@ references = [ ] risk_score = 99 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3" +setup=""" + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). +""" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 080344a3d..7c98b094c 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index a0013bba4..10f3690f1 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 32deee2fc..57f07beba 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index ccc5f89fe..e4b4ae529 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.6.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Nick Jones", "Elastic"] diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 9b6bb94e8..7b542798a 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 008d61b51..3b713f994 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 552181c21..4e64f98ed 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 4e78d4238..e2421b561 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 29d5757d4..ee935f6b6 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/26" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 6551ae4ea..4aa177260 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/16" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 94d833e85..c269e47f0 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/15" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index a0995f265..666c41e15 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 63df8627e..7a2f09090 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 6602ce057..95da9223e 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 26ddc3cac..69f5076ed 100644 --- a/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -2,9 +2,9 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index ff9618dab..8b68bb624 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/28" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index b43499b90..8183f3ce9 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 603dcc022..6e6392a63 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index bc2241fe4..5c4d59871 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/09" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 28ae27071..057ad33b4 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 928f1b162..2446da3f1 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/24" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index cc2c30690..e086940ed 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -2,10 +2,9 @@ creation_date = "2021/04/22" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" - +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] description = """ diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index b35bb5787..02a64984f 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 502f53adc..19f25b6d0 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 1280fe920..91440dc7b 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index fce9a66a9..eb570fcfa 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index bb2e94eed..064094c8e 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index bb5149224..83490a20d 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 1236984cc..4ddc1121c 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 2bb04050d..5894cecae 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2021/08/27" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 1f38decb2..9fab36a07 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 32c36862d..4ab1bb5aa 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 04a0ce323..e96b2938d 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Xavier Pich"] diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index eb4a0c013..0b27d82f7 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index d4ef16cde..811f4578e 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index cf2a46a33..77d9869c7 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 4ffe7f51e..bd6a4d98d 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/11" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 167e309f5..766eefcbe 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index d54ecc791..f3e72f174 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 98b5bd2cd..2e7f5fb50 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" integration = ["aws"] [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index e9cf7f940..f0622af6c 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" integration = ["aws"] [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index b48411c34..ae2cf411b 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" integration = ["aws"] [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 47d143110..dae363dc1 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" integration = ["aws"] [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 97cc7c73e..b2e817bfc 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" integration = ["aws"] [rule] diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index c88b09e02..4ad3b0a44 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 0b93db1a5..93a6aea90 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 9be4b0e8e..b0c544fe5 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 1477799cd..cbdb569d2 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 84363d703..52c0669cf 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 2b06cc806..cec6b592e 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 77e34b3a2..b08243647 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -2,9 +2,9 @@ creation_date = "2022/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 2af669a16..1e690fa56 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 428c05327..61fffb6b3 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 4b7c2c295..b00cafb0a 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,9 +2,9 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index 2009f4a47..a1957e6b9 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index c431b3707..fbfda67e6 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index ff82788f4..67c7d630b 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index f8f83f9fb..1a0318d5f 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index 5739a3aae..21023d227 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index e3c6d08ae..dbc55b859 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml new file mode 100644 index 000000000..ca323fbf0 --- /dev/null +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["beaconing"] +maturity = "production" +min_stack_comments = "Beaconing package updates and support" +min_stack_version = "8.10.1" +updated_date = "2023/10/26" + +[rule] +author = ["Elastic"] +description = """ +A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain +stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain +persistence in a network. +""" +from = "now-1h" +index = ["ml_beaconing.all"] +language = "kuery" +license = "Elastic License v2" +name = "Statistical Model Detected C2 Beaconing Activity" +note = """## Setup + +The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic" +] +risk_score = 21 +rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" +severity = "low" +tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +beacon_stats.is_beaconing: true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml new file mode 100644 index 000000000..6897e064e --- /dev/null +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["beaconing"] +maturity = "production" +min_stack_comments = "Beaconing package updates and support" +min_stack_version = "8.10.1" +updated_date = "2023/10/26" + +[rule] +author = ["Elastic"] +description = """ +A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help +attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and +maintain persistence in a network. +""" +from = "now-1h" +index = ["ml_beaconing.all"] +language = "kuery" +license = "Elastic License v2" +name = "Statistical Model Detected C2 Beaconing Activity with High Confidence" +note = """## Setup + +The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic" +] +risk_score = 21 +rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" +severity = "low" +tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +beacon_stats.beaconing_score: 3 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml new file mode 100644 index 000000000..4e9710e76 --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to +geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command +and control channels. +""" +from = "now-6h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_sent_bytes_destination_geo_country_iso_code" +name = "Potential Data Exfiltration Activity to an Unusual ISO Code" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "e1db8899-97c1-4851-8993-3a3265353601" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml new file mode 100644 index 000000000..1bba24f12 --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to +geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command +and control channels. +""" +from = "now-6h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_sent_bytes_destination_ip" +name = "Potential Data Exfiltration Activity to an Unusual IP Address" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "cc653d77-ddd2-45b1-9197-c75ad19df66c" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml new file mode 100644 index 000000000..b1af3e632 --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are +outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. +""" +from = "now-6h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_sent_bytes_destination_port" +name = "Potential Data Exfiltration Activity to an Unusual Destination Port" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "ef8cc01c-fc49-4954-a175-98569c646740" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml new file mode 100644 index 000000000..8692fed9a --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to +geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command +and control channels. +""" +from = "now-6h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_sent_bytes_destination_region_name" +name = "Potential Data Exfiltration Activity to an Unusual Region" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "bfba5158-1fd6-4937-a205-77d96213b341" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml new file mode 100644 index 000000000..36e40ec6a --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, +there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually +large amount of data being written is anomalous and can signal illicit data copying or transfer activities. +""" +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_bytes_written_to_external_device" +name = "Spike in Bytes Sent to an External Device" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "35a3b253-eea8-46f0-abd3-68bdd47e6e3d" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1052" +name = "Exfiltration Over Physical Medium" +reference = "https://attack.mitre.org/techniques/T1052/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml new file mode 100644 index 000000000..aafcbc007 --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical +operational setting, there is usually a predictable pattern or a certain range of data that is written to external +devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer +activities. +""" +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop" +name = "Spike in Bytes Sent to an External Device via Airdrop" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1011" +name = "Exfiltration Over Other Network Medium" +reference = "https://attack.mitre.org/techniques/T1011/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml new file mode 100644 index 000000000..10a537763 --- /dev/null +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["ded"] +maturity = "production" +min_stack_comments = "New rule" +min_stack_version = "8.9.0" +updated_date = "2023/10/14" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a rare process writing data to an external device. Malicious actors often use +benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no +legitimate reason to write data to external devices can indicate exfiltration. +""" +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "ded_rare_process_writing_to_external_device" +name = "Unusual Process Writing Data to an External Device" +note = """## Setup + +The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded" +] +risk_score = 21 +rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99" +severity = "low" +tags = [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1052" +name = "Exfiltration Over Physical Medium" +reference = "https://attack.mitre.org/techniques/T1052/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml new file mode 100644 index 000000000..beb987af0 --- /dev/null +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/14" +integration = ["dga","endpoint","network_traffic"] +maturity = "production" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is +predicted to be the result of a Domain Generation Algorithm. +""" +from = "now-10m" +index = ["logs-endpoint.events.*", "logs-network_traffic.*"] +language = "kuery" +license = "Elastic License v2" +name = "Machine Learning Detected DGA activity using a known SUNBURST DNS domain" +note = """## Setup + +The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga" +] +risk_score = 99 +rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766" +severity = "critical" +tags = [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml new file mode 100644 index 000000000..7da14e887 --- /dev/null +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/09/14" +integration = ["dga","endpoint","network_traffic"] +maturity = "production" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity +is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address +making DNS requests that have an aggregate high probability of being DGA activity. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "dga_high_sum_probability" +name = "Potential DGA Activity" +note = """## Setup + +The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga" +] +risk_score = 21 +rule_id = "ff0d807d-869b-4a0d-a493-52bc46d2f1b1" +severity = "low" +tags = [ + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml new file mode 100644 index 000000000..cc4594266 --- /dev/null +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/14" +integration = ["dga","endpoint","network_traffic"] +maturity = "production" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain +Generation Algorithm (DGA), which could indicate command and control network activity. +""" +from = "now-10m" +index = ["logs-endpoint.events.*", "logs-network_traffic.*"] +language = "kuery" +license = "Elastic License v2" +name = "Machine Learning Detected a DNS Request With a High DGA Probability Score" +note = """## Setup + +The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga" +] +risk_score = 21 +rule_id = "da7f5803-1cd4-42fd-a890-0173ae80ac69" +severity = "low" +tags = [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +ml_is_dga.malicious_probability > 0.98 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml new file mode 100644 index 000000000..680850d32 --- /dev/null +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/14" +integration = ["dga","endpoint","network_traffic"] +maturity = "production" +min_stack_comments = "DGA package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain +Generation Algorithm (DGA), which could indicate command and control network activity. +""" +from = "now-10m" +index = ["logs-endpoint.events.*", "logs-network_traffic.*"] +language = "kuery" +license = "Elastic License v2" +name = "Machine Learning Detected a DNS Request Predicted to be a DGA Domain" +note = """## Setup + +The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga" +] +risk_score = 21 +rule_id = "f3403393-1fd9-4686-8f6e-596c58bc00b4" +severity = "low" +tags = [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml new file mode 100644 index 000000000..2d07e6bb6 --- /dev/null +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2023/08/29" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/03" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a new GitHub App has been installed in your organization account. +GitHub Apps extend GitHub's functionality both within and outside of GitHub. +When an app is installed it is granted permissions to read or modify your repository and organization data. +Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. +Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "New GitHub App Installed" +risk_score = 47 +rule_id = "1ca62f14-4787-4913-b7af-df11745a49da" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml new file mode 100644 index 000000000..3fd492d96 --- /dev/null +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2023/09/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/11" + +[rule] +author = ["Elastic"] +description = """ +Detects when a new member is added to a GitHub organization as an owner. +This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "New GitHub Owner Added" +risk_score = 47 +rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml new file mode 100644 index 000000000..0d757fe43 --- /dev/null +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2023/09/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/11" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a member is granted the organization owner role of a GitHub organization. +This role provides admin level privileges. Any new owner role should be investigated to determine its validity. +Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Owner Role Granted To User" +risk_score = 47 +rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml new file mode 100644 index 000000000..4b742938d --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected unusually high number of process arguments in an RDP session. Executing +sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, +redirection and piping, which in turn increases the number of arguments in a command. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_mean_rdp_process_args" +name = "High Mean of Process Arguments in an RDP Session" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", +] +risk_score = 21 +rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml new file mode 100644 index 000000000..c797f99d9 --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade +detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might +require uninterrupted access to a compromised machine. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_mean_rdp_session_duration" +name = "High Mean of RDP Session Duration" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml new file mode 100644 index 000000000..3e873e175 --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral +movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate +valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data +into a single large file transfer. +""" +from = "now-90m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_file_size_remote_file_transfer" +name = "Unusual Remote File Size" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml new file mode 100644 index 000000000..df15d4a6e --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to +evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that +might require uninterrupted access to a compromised machine. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_var_rdp_session_duration" +name = "High Variance in RDP Session Duration" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml new file mode 100644 index 000000000..045533bec --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral +movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so +attackers might use less common directories to bypass monitoring. +""" +from = "now-90m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_rare_file_path_remote_transfer" +name = "Unusual Remote File Directory" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml new file mode 100644 index 000000000..6644f7bcc --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential +lateral movement activity on the host. +""" +from = "now-90m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_rare_file_extension_remote_transfer" +name = "Unusual Remote File Extension" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml new file mode 100644 index 000000000..6743d9f90 --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source +IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of +valuable assets, data, or further access points. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source" +name = "Spike in Number of Connections Made from a Source IP" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml new file mode 100644 index 000000000..be30763ad --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination +IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets +detected and blocked. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination" +name = "Spike in Number of Connections Made to a Destination IP" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml new file mode 100644 index 000000000..2ec51fc82 --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a +large number of processes remotely on other machines can be an indicator of lateral movement activity. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes" +name = "Spike in Number of Processes in an RDP Session" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml new file mode 100644 index 000000000..8ce0f730f --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral +movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate +valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, +to evade detection. +""" +from = "now-90m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_high_count_remote_file_transfer" +name = "Spike in Remote File Transfers" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml new file mode 100644 index 000000000..aaebf1eed --- /dev/null +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/12" +integration = ["lmd"] +maturity = "production" +min_stack_comments = "LMD package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/12" + +[rule] +anomaly_threshold = 70 +author = ["Elastic"] +description = """ +A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual +time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger +attack. +""" +from = "now-12h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start" +name = "Unusual Time or Day for an RDP Session" +note = """## Setup + +The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd" +] +risk_score = 21 +rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969" +severity = "low" +tags = [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 76e9531a4..ea7727195 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 122c6d031..0b0642aec 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 9311bb1be..5b532e0f0 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -2,9 +2,9 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 920423823..ea496f4e9 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 8a06da032..2fd57af1d 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,9 +2,9 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 82aa64827..856ad4b93 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 3c39f5e83..81e9923cb 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 4e3d4479b..299402106 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 58860e787..b8808bd73 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index f1ca3dd89..3eacae43c 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index d03380c64..a4d1686a6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 1cac48ec5..46d6272fc 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 03a4d292a..396b1a511 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 10553afe9..ed6f28598 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 4d461de63..7d6940bf1 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index a2267b536..d8a9dbacb 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 7887f83d5..e50772963 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/30" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 7178d23a5..f7a58cf61 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 04cc2f0fa..c1d8d4462 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index b3073630c..50fbb993e 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 344e04661..1065307a1 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 6f41ce6d5..0edfa5597 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 4dfba7b0c..007370eca 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" promotion = true [rule] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index c6b80a4df..3d6cc61ca 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 377b354b4..e43376c7a 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index abf0487d8..e4747856d 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 23b2763a4..d128c950c 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index cb4fb8ff1..e80120621 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index a79da174c..393117f63 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/17" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml new file mode 100644 index 000000000..7701a2a8b --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/09/19" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two +ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual +process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious +or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_host" +name = "Unusual Process Spawned by a Host" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml new file mode 100644 index 000000000..7a6af8781 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two +ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child +process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or +malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_parent" +name = "Unusual Process Spawned by a Parent Process" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml new file mode 100644 index 000000000..fc3085911 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two +ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given +that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a +process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to +detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_user" +name = "Unusual Process Spawned by a User" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml new file mode 100644 index 000000000..801f18442 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild","endpoint"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high +probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being +malicious. +""" +from = "now-10m" +index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] +language = "eql" +license = "Elastic License v2" +name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" +severity = "low" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml new file mode 100644 index 000000000..4adb1946e --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild","endpoint"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high +probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being +malicious. +""" +from = "now-10m" +index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] +language = "eql" +license = "Elastic License v2" +name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" +severity = "low" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml new file mode 100644 index 000000000..38ec615d9 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be +unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_host" +name = "Suspicious Windows Process Cluster Spawned by a Host" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" +severity = "low" +tags = [ + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml new file mode 100644 index 000000000..2e4c7417e --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to +be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_parent" +name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml new file mode 100644 index 000000000..1bc663132 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be +unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_user" +name = "Suspicious Windows Process Cluster Spawned by a User" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index 39cb4ed43..d576b75ea 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/04" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,15 +21,41 @@ license = "Elastic License v2" name = "Network Activity Detected via cat" risk_score = 47 rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "cat"] - [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and - process.name == "cat"] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index d1738432e..141d91071 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,32 @@ references = [ ] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 4d75f2134..e979d04e4 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,32 @@ references = [ ] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml new file mode 100644 index 000000000..fe416ebb3 --- /dev/null +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -0,0 +1,113 @@ +[metadata] +creation_date = "2023/10/18" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/30" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +Attackers may attempt to evade detection by masquerading as a kernel worker process. +""" +from = "now-60m" +index = ["logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License v2" +name = "Network Activity Detected via Kworker" +risk_score = 21 +rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and +process.name:kworker* +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0011" + name = "Command and Control" + reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0005" + name = "Defense Evasion" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Masquerading" + id = "T1036" + reference = "https://attack.mitre.org/techniques/T1036/" + + [[rule.threat.technique]] + name = "Rootkit" + id = "T1014" + reference = "https://attack.mitre.org/techniques/T1014/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0010" + name = "Exfiltration" + reference = "https://attack.mitre.org/tactics/TA0010/" + + [[rule.threat.technique]] + name = "Exfiltration Over C2 Channel" + id = "T1041" + reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["destination.ip", "process.name", "host.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" + diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 5efa70cd1..1a731d9f0 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ name = "Suspicious Utility Launched via ProxyChains" references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] risk_score = 21 rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 35bbfce1f..14b75139e 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,25 +24,53 @@ references = [ ] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( -// gost & pivotnacci - spawned without process.parent.name -(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( -// ssh -(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or -// sshuttle -(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or -// socat -(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or -// chisel -(process.name : "chisel*" and process.args in ("client", "server")) or -// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok -(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) -) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) ''' [[rule.threat]] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 1cce40900..8e017be62 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,70 +22,99 @@ license = "Elastic License v2" name = "Suspicious Network Activity to the Internet by Previously Unknown Executable" risk_score = 21 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat +- Filebeat +- Packetbeat + + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +### Packetbeat Setup +Packetbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Packetbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html). +- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html). +- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html). +- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html). + +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:linux and event.category:network and -event.action:(connection_attempted or ipv4_connection_attempt_event) and -process.executable : ( - (/etc/crontab or - /etc/rc.local or - /boot/* or - /dev/shm/* or - /etc/cron.*/* or - /etc/init.d/* or - /etc/rc*.d/* or - /etc/update-motd.d/* or - /home/*/.* or - /run/* or - /srv/* or - /tmp/* or - /usr/lib/update-notifier/* or - /var/tmp/*) and - not (/usr/bin/apt or - /usr/bin/curl or - /usr/bin/dnf or - /usr/bin/dockerd or - /usr/bin/dpkg or - /usr/bin/rpm or - /usr/bin/wget or - /usr/bin/yum) - ) -and source.ip : ( - 10.0.0.0/8 or - 127.0.0.0/8 or - 172.16.0.0/12 or - 192.168.0.0/16) and - not destination.ip : ( - 10.0.0.0/8 or - 100.64.0.0/10 or - 127.0.0.0/8 or - 169.254.0.0/16 or - 172.16.0.0/12 or - 192.0.0.0/24 or - 192.0.0.0/29 or - 192.0.0.10/32 or - 192.0.0.170/32 or - 192.0.0.171/32 or - 192.0.0.8/32 or - 192.0.0.9/32 or - 192.0.2.0/24 or - 192.168.0.0/16 or - 192.175.48.0/24 or - 192.31.196.0/24 or - 192.52.193.0/24 or - 192.88.99.0/24 or - 198.18.0.0/15 or - 198.51.100.0/24 or - 203.0.113.0/24 or - 224.0.0.0/4 or - 240.0.0.0/4 or - "::1" or - "FE80::/10" or - "FF00::/8") +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" +) ''' [[rule.threat]] @@ -103,8 +132,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" -value = ["destination.ip", "process.executable"] +value = ["host.id", "destination.ip", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-14d" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index a13802a47..9c1439397 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -18,16 +18,53 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", ] risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 3a443d1c5..81931d4f5 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,9 +2,9 @@ creation_date = "2020/12/22" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,10 +22,58 @@ references = [ ] risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and @@ -62,39 +110,46 @@ event.category:process and host.os.type:linux and event.type:start and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line", "process.parent.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 61cd91c34..412374a82 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,32 @@ references = [ ] risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_gdb_init_memory_dump.toml b/rules/linux/credential_access_gdb_init_memory_dump.toml index c1d71fc94..e0cec14d8 100644 --- a/rules/linux/credential_access_gdb_init_memory_dump.toml +++ b/rules/linux/credential_access_gdb_init_memory_dump.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 1f1ecf4d2..be4c0071c 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "Potential Linux Local Account Brute Force Detected" risk_score = 47 rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index a5c038256..97cf8340b 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ from = "now-9m" index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" +max_signals = 5 name = "Potential External Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -58,11 +59,36 @@ In case this rule generates too much noise and external brute forcing is of not """ risk_score = 21 rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab" +setup = """ + +This rule requires data coming in from Filebeat. + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index fae0e736c..bacd6e116 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ from = "now-9m" index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" +max_signals = 5 name = "Potential Internal Linux SSH Brute Force Detected" note = """## Triage and analysis @@ -54,11 +55,36 @@ The rule identifies consecutive internal SSH login failures targeting a user acc """ risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" +setup = """ + +This rule requires data coming in from Filebeat. + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index efa147837..fcba9634c 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,23 +21,44 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful Linux FTP Brute Force Attack Detected" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -``` -For this detection rule no additional audit rules are required to be added to the integration. -``` -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -""" risk_score = 47 rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 47419a0c1..297d5b761 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,23 +21,44 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful Linux RDP Brute Force Attack Detected" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -``` -For this detection rule no additional audit rules are required to be added to the integration. -``` -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -""" risk_score = 47 rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml similarity index 50% rename from rules/linux/credential_access_bruteforce_password_guessing.toml rename to rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 691f6575b..54d58ed62 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/05" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -49,11 +49,49 @@ The rule identifies consecutive SSH login failures followed by a successful logi """ risk_score = 73 rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Filebeat + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' -sequence by host.id, source.ip, user.name with maxspan=3s +sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 6cea68f70..e5e2399e4 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/26" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,6 +25,32 @@ references = [ ] risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index c7d1cf2eb..c7d883179 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,16 +19,53 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", ] risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -37,7 +74,8 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and ( - (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", + ".jelenv", ".csvignore", ".rtreport")) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or file.path : ( diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index b63cb750d..d9fafe68a 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,6 +19,32 @@ license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 38099dc7d..644ed904f 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,6 +19,44 @@ license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index b2c598330..93bcb474a 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,44 @@ license = "Elastic License v2" name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 593d8d909..f25bd9e60 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,13 +20,39 @@ license = "Elastic License v2" name = "System Binary Copied and/or Moved to Suspicious Directory" risk_score = 21 rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name in ("cp", "mv", "cat") and process.args : ( + process.name in ("cp", "mv") and process.args : ( // Shells "/bin/*sh", "/usr/bin/*sh", @@ -44,10 +70,10 @@ sequence by host.id, process.entity_id with maxspan=1s "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", // System utilities - "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/mv", "/usr/bin/mv", "/bin/cp", "/usr/bin/cp", - "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", "/bin/wget", "/usr/bin/wget", "/bin/tmux", - "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" - )] + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" )] @@ -61,6 +87,15 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index bd1ba550a..f0ec2bf0e 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,12 +20,49 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "File made Immutable by Chattr" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml new file mode 100644 index 000000000..f0e6bf8aa --- /dev/null +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -0,0 +1,90 @@ +[metadata] +creation_date = "2023/10/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" + +[rule] +author = ["Elastic"] +description = """ +Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events +to evade detection after installing a Linux kernel module (LKM). +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Attempt to Clear Kernel Ring Buffer" +risk_score = 21 +rule_id = "2724808c-ba5d-48b2-86d2-0002103df753" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "dmesg" and process.args : "-c" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +name = "Impair Defenses" +id = "T1562" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +name = "Disable or Modify Tools" +id = "T1562.001" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique]] +name = "Indicator Removal" +id = "T1070" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +name = "Clear Linux or Mac System Logs" +id = "T1070.002" +reference = "https://attack.mitre.org/techniques/T1070/002/" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index cce4ddafc..1a7896e5d 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "Potential Disabling of AppArmor" risk_score = 21 rule_id = "fac52c69-2646-4e79-89c0-fd7653461010" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 2e63d67c3..a7d4c9760 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,44 @@ license = "Elastic License v2" name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index fb836c5a3..bdd999459 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,6 +25,32 @@ references = [ ] risk_score = 47 rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 58e8df6f5..09ea2aa8f 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 92f58b926..98fcc694e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/25" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,35 +20,77 @@ false_positives = [ ] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start"and - process.name in ("chmod", "chown", "chattr", "chgrp") and - process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and - not process.parent.name in ("update-motd-updates-available") and - not user.name == "root" +host.os.type:linux and event.category:process and event.type:start and +process.name:(chmod or chown or chattr or chgrp) and +process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.parent.executable", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 954a9ebcf..4422a4d67 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,12 +25,49 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories via CommandLine" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 28e1f61a5..248b097fb 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,12 +19,49 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Shared Object File" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index bb6b41ce3..08f152fb3 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,6 +27,32 @@ name = "Kernel Module Removal" references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 47 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml deleted file mode 100644 index 3771c896f..000000000 --- a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml +++ /dev/null @@ -1,100 +0,0 @@ -[metadata] -creation_date = "2023/06/26" -integration = ["endpoint"] -maturity = "production" -min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0" -min_stack_version = "8.6.0" -updated_date = "2023/08/25" - -[rule] -author = ["Elastic"] -description = """ -This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to -inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious -shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common -and will potentially indicate malicious or suspicious behavior. -""" -from = "now-9m" -index = ["logs-endpoint.events.*"] -language = "eql" -license = "Elastic License v2" -name = "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable" -note = """ This rule was deprecated due to the large amount of false positives and the lack of true positives generated by the rule. -## Setup -By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. -``` -Kibana --> -Fleet --> -Agent policies --> -Agent policy for which the option should be enabled --> -Name of the Elastic Defend integration --> -Show advanced settings --> -linux.advanced.capture_env_vars -``` -`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. -After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. -""" -references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"] -risk_score = 21 -rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" -severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.action == "exec" and process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - -[[rule.threat.technique.subtechnique]] -id = "T1574.006" -name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 11b7082b3..66aeee81a 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,17 +17,61 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", ] risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -47,25 +91,23 @@ file where host.os.type == "linux" and event.type == "deletion" and "/var/log/boot.log", "/var/log/kern.log" ) and - not process.name : ("gzip") + not process.name in ("gzip", "executor", "dockerd") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 18d005f07..78ac321cb 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,6 +27,32 @@ references = [ ] risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index ed827eebb..426f6a76f 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,6 +30,32 @@ references = [ ] risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 03fd982a3..3e92debd9 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,32 @@ references = [ ] risk_score = 47 rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index d71c8b051..bf24c7683 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,32 @@ references = [ ] risk_score = 47 rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 64ebdb855..7257d2f97 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,6 +25,32 @@ references = [ ] risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 309468451..780bf18a0 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 863c343d2..334bc4366 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,32 @@ license = "Elastic License v2" name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -35,8 +61,7 @@ event.category:process and host.os.type:linux and event.type:start and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) -) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and -not process.parent.user.id:0 +) ''' [[rule.threat]] @@ -54,7 +79,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["process.parent.name", "host.id"] +value = ["host.id", "process.command_line", "process.parent.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index c28247d52..05b256ac9 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,44 @@ name = "Hping Process Activity" references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 4b58715db..1242b8c6d 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,44 @@ name = "Nping Process Activity" references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml new file mode 100644 index 000000000..a0f919c15 --- /dev/null +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2023/09/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" + +[rule] +author = ["Elastic"] +description = """ +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. +Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while +attempting to evade detection or due to the lack of network mapping tools available on the compromised host. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Network Scan Executed From Host" +risk_score = 47 +rule_id = "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "threshold" +query = ''' +host.os.type:linux and event.action:exec and event.type:start and +process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.threshold] +field = ["host.id", "process.parent.entity_id", "process.executable"] +value = 1 + +[[rule.threshold.cardinality]] +field = "process.args" +value = 100 diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index e39b6edeb..171641a7f 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,29 +19,34 @@ index = ["logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Pspy Process Monitoring Detected" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. - -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` - -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - -For this detection rule to trigger, the following additional audit rules are required to be added to the integration: -``` --w /proc/ -p r -k audit_proc -``` - -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -""" references = ["https://github.com/DominicBreuker/pspy"] risk_score = 21 rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc" +setup = """ + +This rule requires data coming in from Auditd Manager. + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -- "-w /proc/ -p r -k audit_proc" + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] type = "eql" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index f3f6dbc7a..3730ba69d 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "Sudo Command Enumeration Detected" risk_score = 21 rule_id = "28d39238-0c01-420a-b77a-24e5a7378663" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 3603a08b8..95e93fd6c 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" risk_score = 21 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -30,8 +56,10 @@ query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" -) and -not user.Ext.real.id == "0" and not group.Ext.real.id == "0" +) and not ( + user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or + (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) +) ''' [[rule.threat]] diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index f7c1fcf9f..9c0eb17df 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,13 +20,40 @@ license = "Elastic License v2" name = "Unusual User Privilege Enumeration via id" risk_score = 21 rule_id = "afa135c0-a365-43ab-aa35-fd86df314a47" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "id" and process.args_count == 2] with runs=20 + process.name == "id" and process.args_count == 2 and + not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ''' [[rule.threat]] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 6933b4667..2eaaf3647 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,6 +26,44 @@ license = "Elastic License v2" name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 0530134d6..3777d753c 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/08/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -64,6 +64,7 @@ This rule identifies the creation of PID, lock, or reboot files in the /var/run/ - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", @@ -73,8 +74,42 @@ references = [ ] risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -87,7 +122,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o process.executable : ( ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* )) -) and not process.name : (go or git) +) and not process.name : (go or git or containerd* or snap-confine) ''' [[rule.threat]] @@ -105,7 +140,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["process.executable", "file.path"] +value = ["host.id", "process.executable", "file.path"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml new file mode 100644 index 000000000..569af1415 --- /dev/null +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2023/11/02" + +[rule] +author = ["Elastic"] +description = """ +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction +with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow +during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed +with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, +HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. +""" + +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential curl CVE-2023-38545 Exploitation" +references = [ + "https://curl.se/docs/CVE-2023-38545.html", + "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", + "https://twitter.com/_JohnHammond/status/1711986412554531015" +] +risk_score = 47 +rule_id = "f41296b4-9975-44d6-9486-514c6f635b2d" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Elastic Defend integration does not collect environment variable logging by default. +In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. + #### To set up environment variable capture for an Elastic Agent policy: +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. +- For this rule the linux.advanced.capture_env_vars variable should be set to "http_proxy,HTTPS_PROXY,ALL_PROXY". +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). + +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" +and ( + process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or + process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and length(process.command_line) > 255 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index 64b8c70bb..29389ee03 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "File Creation, Execution and Self-Deletion in Suspicious Directory" risk_score = 47 rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index a42656946..1f860d513 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -62,6 +62,7 @@ This rule identifies potential reverse shell or bind shell activity using Netcat - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", @@ -73,6 +74,44 @@ references = [ ] risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml new file mode 100644 index 000000000..b883f27cb --- /dev/null +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -0,0 +1,83 @@ +[metadata] +creation_date = "2023/09/20" +integration = ["endpoint"] +maturity = "production" +updated_date = "2023/11/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade +a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more +stable connection. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Upgrade of Non-interactive Shell" +risk_score = 47 +rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( + (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or + (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and + process.args_count == 4) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml new file mode 100644 index 000000000..a08fcd393 --- /dev/null +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/30" + +[rule] +author = ["Elastic"] +description = """ +Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses +the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction +with netcat to gain a more stable reverse shell. +""" +false_positives = [ + """ + Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux + distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may + originate from scripts, automation tools, and frameworks. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Netcat Listener Established via rlwrap" +risk_score = 21 +rule_id = "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "rlwrap" and process.args in ( + "nc", "ncat", "netcat", "nc.openbsd", "socat" +) and process.args : "*l*" and process.args_count >= 4 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 4e006cd92..13f948802 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "Network Connection via Recently Compiled Executable" risk_score = 47 rule_id = "64cfca9e-0f6f-4048-8251-9ec56a055e9e" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 5ba37257c..d36348aa5 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,6 +19,44 @@ license = "Elastic License v2" name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml new file mode 100644 index 000000000..7d116f4cd --- /dev/null +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2023/09/22" +integration = ["endpoint"] +maturity = "production" +updated_date = "2023/10/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" + +[rule] +author = ["Elastic"] +description = """ +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from +this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as +well. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Linux Hack Tool Launched" +risk_score = 47 +rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ( + // exploitation frameworks + "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", + // network scanners (nmap left out to reduce noise) + "zenmap", "nuclei", "netdiscover", "legion", + // web enumeration + "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness", + // web vulnerability scanning + "wpscan", "joomscan", "droopescan", "nikto", + // exploitation tools + "sqlmap", "commix", "yersinia", + // cracking and brute forcing + "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack", + // host and network + "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index d5c18644d..c70c71ee0 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,7 +31,9 @@ note = """## Triage and analysis Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation: - Examine parent and child process relationships of the new process to determine if other processes are running. - Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" -- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.""" +- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. + +""" references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", @@ -40,6 +42,32 @@ references = [ ] risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 097216c02..d15be4abe 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -32,6 +32,32 @@ references = [ ] risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 9e121608a..b6129d5f6 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/29" +updated_date = "2023/11/02" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -19,6 +19,32 @@ license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" timestamp_override = "event.ingested" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] @@ -27,10 +53,10 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( - (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and - process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or - (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 - and process.parent.args_count == 1) + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) ) ''' diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 53c2fbe20..ff5fbb6cd 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,8 +22,41 @@ license = "Elastic License v2" name = "Potential Code Execution via Postgresql" risk_score = 47 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index d88e2665e..74de453fd 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/05" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -63,9 +63,6 @@ Initiate the incident response process based on the outcome of the triage. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -The session view analysis for the command alerted is avalible in versions 8.2 and above. """ references = [ "https://gtfobins.github.io/gtfobins/apt/", @@ -96,6 +93,41 @@ references = [ ] risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above. +#### To confirm that Session View data is enabled: +- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies. +- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom. +- Check the box for “Process events”, and turn on the “Include session data” toggle. +- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. +- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. +For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -107,7 +139,7 @@ process where host.os.type == "linux" and event.type == "start" and (process.name == "capsh" and process.args == "--") or /* launching shells from unusual parents or parent+arg combos */ - (process.name : "*sh" and ( + (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml index 7bc39e984..af21e4fc4 100644 --- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/10" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,25 +17,52 @@ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Potential Reverse Shell via Suspicious Parent Process" +name = "Deprecated - Potential Reverse Shell via Suspicious Parent Process" +note = "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule." references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( - (process.name : "python*" and process.args : "-c") or - (process.name : "php*" and process.args : "-r") or - (process.name : "perl" and process.args : "-e") or - (process.name : "ruby" and process.args : ("-e", "-rsocket")) or - (process.name : "lua*" and process.args : "-e") or + (process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or + (process.name : "php*" and process.args == "-r") or + (process.name : "perl" and process.args == "-e") or + (process.name : "ruby" and process.args in ("-e", "-rsocket")) or + (process.name : "lua*" and process.args == "-e") or (process.name : "openssl" and process.args : "-connect") or - (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or (process.name : "telnet" and process.args_count >= 3) or (process.name : "awk")) and process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml new file mode 100644 index 000000000..e1e181aea --- /dev/null +++ b/rules/linux/execution_shell_via_background_process.toml @@ -0,0 +1,92 @@ +[metadata] +creation_date = "2023/09/20" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" + +[rule] +author = ["Elastic"] +description = """ +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp +channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Background Process" +risk_score = 47 +rule_id = "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +timestamp_override = "event.ingested" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index e2b712f00..57df034c2 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,17 +22,45 @@ references = [ ] risk_score = 47 rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id with maxspan=5s -[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and - process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.action == "exec" and - process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + ] by process.parent.entity_id ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index a865fa968..abbf54a9e 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/10" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,25 +23,67 @@ references = [ ] risk_score = 47 rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s -[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - (process.name : "python*" and process.args : "-c") or - (process.name : "php*" and process.args : "-r") or - (process.name : "perl" and process.args : "-e") or - (process.name : "ruby" and process.args : ("-e", "-rsocket")) or - (process.name : "lua*" and process.args : "-e") or - (process.name : "openssl" and process.args : "-connect") or - (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or - (process.name : "telnet" and process.args_count >= 3) or - (process.name : "awk")) and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 9488c98c5..202e77942 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/08/10" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -18,31 +18,47 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Meterpreter Reverse Shell" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. - -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` - -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - -For this detection rule to trigger, the following additional audit rules are required to be added to the integration: - -``` --w /proc/net/ -p r -k audit_proc --w /etc/machine-id -p wa -k machineid --w /etc/passwd -p wa -k passwd -``` - -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -""" risk_score = 47 rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -w /proc/net/ -p r -k audit_proc + -w /etc/machine-id -p wa -k machineid + -w /etc/passwd -p wa -k passwd + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 1c7eb1c65..fa8380a08 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/10" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index eab506658..65cad55c5 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/10" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,17 +23,44 @@ references = [ ] risk_score = 47 rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by host.id with maxspan=1s -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not + process.args : "*imunify360-agent*"] by process.parent.entity_id ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index e8043f85c..0391990f9 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/07/04" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,28 +19,54 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via UDP" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -``` -For this detection rule no additional audit rules are required to be added to the integration. -``` -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -""" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + +""" severity = "medium" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index ad404d299..91fa7eb9c 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/26" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 4d11a35ee..f38a877b2 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ license = "Elastic License v2" name = "Suspicious System Commands Executed by Previously Unknown Executable" risk_score = 21 rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -59,7 +85,7 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.new_terms] field = "new_terms_fields" -value = ["process.executable"] +value = ["host.id", "user.id", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index a651d2da4..002a29e16 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -19,6 +19,32 @@ license = "Elastic License v2" name = "Suspicious Mining Process Creation Event" risk_score = 47 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index d46111522..9a75c23f1 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -22,6 +22,32 @@ references = [ ] risk_score = 73 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index a6641e809..68821691a 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/26" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 325a72c3b..d45f5244e 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/04/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 09410f397..6ab9c3305 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,22 +21,47 @@ license = "Elastic License v2" name = "Suspicious File Changes Activity Detected" risk_score = 47 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 ''' [[rule.threat]] diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 41b96c8ba..92c2ecbcd 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,22 +22,47 @@ license = "Elastic License v2" name = "Potential Linux Ransomware Note Creation Detected" risk_score = 47 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and file.name : ( "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" )] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index b701c3811..e3ad173ea 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -46,9 +46,36 @@ This rule identifies a high number (10) of process terminations via pkill from t - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml new file mode 100644 index 000000000..e29caebd5 --- /dev/null +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -0,0 +1,95 @@ +[metadata] +creation_date = "2023/09/21" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's +autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential SSH-IT SSH Worm Downloaded" +references = ["https://www.thc.org/ssh-it/"] +risk_score = 47 +rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +tags = ["Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("curl", "wget") and process.args : ( + "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", + "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" + +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index a6782b38d..01daa4c3c 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,6 +28,44 @@ name = "Connection to External Network via Telnet" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 7a0013db0..3cb0849c3 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,6 +28,44 @@ name = "Connection to Internal Network via Telnet" references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 089047488..1cd1b21ac 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 8bde827f9..10a97feee 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,44 @@ name = "Modification of OpenSSH Binaries" references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -35,7 +73,8 @@ event.category:file and host.os.type:linux and event.type:change and /usr/bin/sftp or /usr/bin/ssh or /usr/sbin/sshd) or - file.name:libkeyutils.so) + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* ''' diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 9469bb82f..f441b35ac 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,8 +23,43 @@ references = [ ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" @@ -33,7 +68,7 @@ host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "c file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or -file.extension : ("swp" or "swx")) +file.extension : ("swp" or "swpx")) ''' [[rule.threat]] @@ -92,8 +127,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index b93d744a2..f2b8cf4fc 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -21,6 +21,32 @@ references = [ ] risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index abf97ec46..3acc0756e 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -24,6 +24,32 @@ references = [ ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 8e093be8f..e6361396e 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/08/21" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -117,6 +117,7 @@ This rule looks for the creation of new files within the `/etc/init.d/` director - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -126,6 +127,32 @@ references = [ ] risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index e6a6886b1..579c4e9c5 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -15,19 +15,54 @@ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Kernel module load via insmod" +name = "Kernel Module Load via insmod" references = [ "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" ] risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") ''' [[rule.threat]] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 980170104..4e3c263c2 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -17,10 +17,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", @@ -28,6 +24,47 @@ references = [ ] risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +#### Custom Ingest Pipeline +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index a635f2355..aa6ef2339 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -84,9 +84,36 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 7fff85068..a86662efa 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -79,9 +79,31 @@ This rule identifies the usages of `groupadd` and `addgroup` to create new group - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" +setup = """ + +This rule requires data coming in from Filebeat. + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 7c3f8b18a..dd391a757 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -97,6 +97,7 @@ This rule detects a web server process spawning script and command line interfac - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://pentestlab.blog/tag/web-shell/", @@ -104,6 +105,32 @@ references = [ ] risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -121,7 +148,7 @@ event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" ) and -process.name : ("*sh", "python*", "perl", "php*", "tmux") and +process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and not process.name == "phpquery" ''' diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index a7d8cfd05..b9ba48278 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -78,9 +78,31 @@ This rule identifies the usage of `useradd` and `adduser` to create new accounts - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" +setup = """ + +This rule requires data coming in from Filebeat. + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the “Filebeat System Module” to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 69f741e83..98475a809 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/20" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -79,9 +79,36 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ risk_score = 47 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 8b737aaab..2be689b44 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -114,20 +114,55 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not -file.extension : ("swp" or "swx") +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf +) and not file.extension : ("swp" or "swpx") ''' [[rule.threat]] @@ -145,8 +180,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 34185a085..15633b3e5 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -113,22 +113,75 @@ This rule identifies the execution of potentially malicious processes from a MOT - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and -event.type == "start" and event.action : ("exec", "exec_event") and -process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and -process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", -"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet") +process where event.type == "start" and event.action : ("exec", "exec_event") and +process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 8ef5e71f9..e5cde1a54 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/08/21" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -96,6 +96,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", @@ -105,13 +106,49 @@ references = [ ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] type = "new_terms" query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") ''' [[rule.threat]] @@ -134,7 +171,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["host.id", "process.executable"] +value = ["host.id", "process.executable", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml new file mode 100644 index 000000000..99fd6e6eb --- /dev/null +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -0,0 +1,84 @@ +[metadata] +creation_date = "2023/09/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/02" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) +and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the +file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, +allowing them to maintain control over a compromised system with elevated permissions. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Setcap setuid/setgid Capability Set" +risk_score = 47 +rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index d2534e2c2..5e788d188 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,31 +24,64 @@ name = "Shared Object Created or Changed by Previously Unknown Process" references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] risk_score = 47 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher")) +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf")) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -56,9 +89,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" - - +value = "now-10d" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index c60d89c5e..f8ea241fd 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/08/21" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -127,6 +127,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + """ references = [ "https://opensource.com/article/20/7/systemd-timers", @@ -134,14 +135,50 @@ references = [ ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor") +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" +) ''' [[rule.threat]] @@ -164,8 +201,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 577ac3ae4..b04b6d63f 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,21 +25,65 @@ references = [ ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type : "linux" and event.action : ("creation" or "file_create_event") and -file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or - "elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx")) +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" + ) or + file.extension:("swp" or "swpx") +) ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -75,8 +119,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.name"] +value = ["host.id", "file.path", "process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" +value = "now-10d" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 343599b13..34c410034 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ name = "Potential Unauthorized Access via Wildcard Injection Detected" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 21 rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 2a8d2eeeb..d8756af51 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,26 +20,47 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Container Misconfiguration" -setup = """This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. - -The following steps should be performed in order to enable session data event collection on a Linux system. -``` -Kibana --> -Management --> -Fleet --> -Agent Policies --> -Agent Policy with Elastic Defend installed --> -Elastic Defend integration --> -Enable the "Collect session data" box under "Event Collection" for "Linux" -``` -More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security. -""" references = [ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" ] risk_score = 47 rule_id = "afe6b0eb-dd9d-4922-b08a-1910124d524d" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above. +#### To confirm that Session View data is enabled: +- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies. +- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom. +- Check the box for “Process events”, and turn on the “Include session data” toggle. +- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. +- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. +For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index cf2dbe27f..3ef2f2dcc 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,9 +2,9 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,32 +22,83 @@ references = [ ] risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "query" +type = "new_terms" query = ''' -event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and -event.action:(updated or renamed or rename) +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and +not event.type:deletion and file.path:/etc/ld.so.preload ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index f4eede9ed..2300d6786 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,13 +22,39 @@ license = "Elastic License v2" name = "Suspicious Symbolic Link Created" risk_score = 21 rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and -event.type == "start" and process.name == "ln" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and ( /* suspicious files */ (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index 660e305cf..c920a0932 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/27" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,32 @@ references = [ "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] risk_score = 47 rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 61ebdd432..7938e16f3 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -3,7 +3,7 @@ creation_date = "2023/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -27,6 +27,32 @@ references = [ ] risk_score = 47 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml new file mode 100644 index 000000000..22c1de209 --- /dev/null +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2023/10/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." +min_stack_version = "8.6.0" +updated_date = "2023/11/02" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a +buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via CVE-2023-4911" +references = ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"] +risk_score = 73 +rule_id = "6d8685a1-94fa-4ef7-83de-59302e7c4ca8" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +Elastic Defend integration does not collect environment variable logging by default. +In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. + #### To set up environment variable capture for an Elastic Agent policy: +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. +- For this rule the linux.advanced.capture_env_vars variable should be set to "GLIBC_TUNABLES". +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). + +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ] +type = "eql" +query = ''' +sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index e485a0017..86a9899c3 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,32 @@ references = [ "https://twitter.com/liadeliyahu/status/1684841527959273472"] risk_score = 73 rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 07df799c0..e12bb1806 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ name = "Potential Privilege Escalation via PKEXEC" references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"] risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index beb058f25..1159c6295 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ name = "Potential Shell via Wildcard Injection Detected" references = ["https://www.exploit-db.com/papers/33930"] risk_score = 47 rule_id = "0b803267-74c5-444d-ae29-32b5db2d562a" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index 8d867536e..1cab6128a 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,32 @@ name = "Potential Suspicious DebugFS Root Device Access" references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"] risk_score = 21 rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index 2e54f5531..e76b0d458 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,6 +21,32 @@ name = "Potential Shadow File Read via Command Line Utilities" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 2a013a725..7ef11c7fd 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ name = "Potential Sudo Privilege Escalation via CVE-2019-14287" references = ["https://www.exploit-db.com/exploits/47502"] risk_score = 47 rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 859e2eff2..ac0f0571e 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/26" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -15,18 +15,53 @@ enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Potential Sudo Hijacking Detected" references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo" +host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and +file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd) ''' [[rule.threat]] @@ -59,3 +94,11 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 9257e3e25..47d276124 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,6 +23,32 @@ name = "Potential Sudo Token Manipulation via Process Injection" references = ["https://github.com/nongiach/sudo_inject"] risk_score = 47 rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml new file mode 100644 index 000000000..37b12bbcd --- /dev/null +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -0,0 +1,85 @@ +[metadata] +creation_date = "2023/09/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/19" + +[rule] +author = ["Elastic"] +description = """ +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Python cap_setuid" +risk_score = 47 +rule_id = "a0ddb77b-0318-41f0-91e4-8c1b5528834f" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] + [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and + (user.id == "0" or group.id == "0")] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index ab8ad758c..f1a4e1d5a 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/28" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -20,6 +20,32 @@ license = "Elastic License v2" name = "Potential Privilege Escalation via Recently Compiled Executable" risk_score = 47 rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 57caf1af5..6189c40ed 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,6 +24,44 @@ references = [ ] risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditbeat Setup +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + +#### The following steps should be executed in order to add the Auditbeat on a Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). +- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). +- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 9200aa588..1d3ac1b99 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,6 +22,32 @@ name = "Potential Privilege Escalation through Writable Docker Socket" references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"] risk_score = 47 rule_id = "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8" +setup = """ + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 2a0210272..1b3d91132 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Access of Stored Browser Credentials" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -46,7 +50,8 @@ process where host.os.type == "macos" and event.type in ("start", "process_start "key3.db", "logins.json", "cookies.sqlite" - ) + ) and + not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint")) ''' diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 2f68ef9e8..8bac1e60a 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Access to Keychain Credentials Directories" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/", ] risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index cfe887826..587a31f4a 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -18,9 +18,13 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" -note = """## Setup +setup = """ -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ references = ["https://ss64.com/osx/security.html"] risk_score = 73 diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index acaa67ea4..8fe39e4c7 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,10 +19,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", @@ -31,6 +27,14 @@ references = [ ] risk_score = 73 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 3a2483579..1ff8a8613 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,20 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html", ] risk_score = 73 rule_id = "38948d29-3d5d-42e3-8aec-be832aaaf8eb" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index c493f283f..e07dd6b71 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Remove File Quarantine Attribute" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html", ] risk_score = 47 rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index c026c8e63..b08fb8758 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,10 +18,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", @@ -29,6 +25,14 @@ references = [ ] risk_score = 47 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 9390c9475..c2b59e90f 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,15 +18,19 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html", ] risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index a41b23a07..f38d4af84 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 7752fee96..a22a8f619 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"] risk_score = 21 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index f0dd7b974..ec4bc9f61 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,10 +17,6 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", @@ -28,6 +24,14 @@ references = [ ] risk_score = 21 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index a8ede731e..6d9bac89c 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 899249fd7..66722e693 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,20 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Emond Rules Creation or Modification" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/", ] risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 339b64e9d..b7e0f1ff8 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,19 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", ] risk_score = 47 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index f90b818e5..8f3498092 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,20 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Login or Logout Hook" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/", ] risk_score = 47 rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 2d26195a3..b0a286156 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 3090eba49..76066136a 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -26,10 +26,6 @@ as a download of a payload from a server. - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to identify whether the file is malicious or not. - -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", @@ -37,6 +33,15 @@ references = [ ] risk_score = 47 rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 070432064..8aa669d19 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -24,9 +24,6 @@ note = """## Triage and analysis - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", @@ -34,6 +31,15 @@ references = [ ] risk_score = 47 rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ab7895647..73b7a1ac7 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 9e8c417b9..276db49d0 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/01" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Accepted Default Telnet Port Connection" @@ -33,7 +33,6 @@ rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" tags = [ "Domain: Endpoint", - "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", @@ -45,10 +44,11 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and event.type: connection - and not event.action:( - flow_dropped or denied or deny or - flow_terminated or timeout or Reject or network_flow) +(event.dataset:network_traffic.flow or event.category:(network or network_traffic)) + and event.type:connection and not event.action:( + flow_dropped or denied or deny or + flow_terminated or timeout or Reject or network_flow) + and destination.port:23 ''' diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 26a4188a7..de5520737 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "lucene" license = "Elastic License v2" name = "Cobalt Strike Command and Control Beacon" @@ -40,7 +40,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: (network_traffic.tls or network_traffic.http) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ +((event.category: (network OR network_traffic) AND type: (tls OR http)) + OR event.dataset: (network_traffic.tls OR network_traffic.http) +) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ ''' diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 066bf738b..facaf30f0 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/01" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ SHA256 hashing algorithms (the default is SHA1). See the References section for configuration. """ from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Default Cobalt Strike Team Server Certificate" @@ -34,14 +34,20 @@ references = [ risk_score = 99 rule_id = "e7075e8d-a966-458e-a183-85cd331af255" severity = "critical" -tags = ["Tactic: Command and Control", "Threat: Cobalt Strike", "Use Case: Threat Detection", "Domain: Endpoint"] +tags = [ + "Tactic: Command and Control", + "Threat: Cobalt Strike", + "Use Case: Threat Detection", + "Domain: Endpoint", +] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or - tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or - tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C) +(event.dataset: network_traffic.tls or event.category: (network or network_traffic)) + and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 + or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C + or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C) ''' diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 7c33cbc33..fbade0aa6 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/01" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" @@ -41,7 +41,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: (network_traffic.http or network_traffic.tls) and +(event.dataset: (network_traffic.http or network_traffic.tls) or + (event.category: (network or network_traffic) and network.protocol: http)) and (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and not destination.ip:( 10.0.0.0/8 or diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 3d1a895ca..0d35fd4ba 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "lucene" license = "Elastic License v2" name = "Possible FIN7 DGA Command and Control Behavior" @@ -37,7 +37,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: (network_traffic.tls or network_traffic.http) AND +(event.dataset: (network_traffic.tls OR network_traffic.http) or + (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us ''' diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 9eaf40abd..3cbbd7070 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "lucene" license = "Elastic License v2" name = "Halfbaked Command and Control Beacon" @@ -38,7 +38,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: (network_traffic.tls or network_traffic.http) AND +(event.dataset: (network_traffic.tls OR network_traffic.http) OR + (event.category: (network OR network_traffic) AND network.protocol: http)) AND network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND destination.port:(53 OR 80 OR 8080 OR 443) ''' diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index bab6a4656..8c76d249a 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -23,7 +23,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "IPSEC NAT Traversal Port Activity" @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500 +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 ''' diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 080ddea6a..dc7c52c3d 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "SMTP on Port 26/TCP" @@ -36,7 +36,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26)) +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26)) ''' diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 5d3f3fa03..1b1cc835d 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -25,7 +25,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) from the Internet" @@ -40,7 +40,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 5d980ddde..5c07d1604 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -23,7 +23,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "VNC (Virtual Network Computing) from the Internet" @@ -36,7 +36,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index a90903ee3..450ea79d3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -23,7 +23,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "VNC (Virtual Network Computing) to the Internet" @@ -36,7 +36,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index a830369f0..13acbd2c1 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -4,26 +4,31 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] description = ''' -This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target -network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and -weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized -access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target +network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and +weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized +access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. ''' from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*",] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential Network Sweep Detected" risk_score = 21 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 37ecaf6df..9cea2f75d 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -4,27 +4,32 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] description = ''' -This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a -target system or network for open ports, allowing them to identify available services and potential vulnerabilities. -By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining -unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further -exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. +By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. ''' from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential Network Scan Detected" risk_score = 21 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 9d18c04d2..32c1b0ec8 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -4,27 +4,32 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/09/22" [rule] author = ["Elastic"] description = ''' -This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a -target network for open ports by sending SYN packets to multiple ports and observing the response. -Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, -allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its -security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a +target network for open ports by sending SYN packets to multiple ports and observing the response. +Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, +allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its +security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. ''' from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" +max_signals = 5 name = "Potential SYN-Based Network Scan Detected" risk_score = 21 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" severity = "low" -tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +tags = ["Domain: Network", + "Tactic: Discovery", + "Tactic: Reconnaissance", + "Use Case: Network Security Monitoring" + ] type = "threshold" query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 03c15e746..3dcd1d643 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -15,7 +15,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by backdoor vector. """ from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "RPC (Remote Procedure Call) from the Internet" @@ -28,7 +28,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and not source.ip:( 10.0.0.0/8 or 127.0.0.0/8 or diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 0fd6a76c3..ce2e6f9b0 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -6,6 +6,7 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/08/17" + [rule] author = ["Elastic"] description = """ @@ -15,7 +16,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by backdoor vector. """ from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "RPC (Remote Procedure Call) to the Internet" @@ -28,7 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 8660b2b1c..782073582 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -6,6 +6,7 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/08/17" + [rule] author = ["Elastic"] description = """ @@ -15,7 +16,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr threat actors as an initial access or backdoor vector or for data exfiltration. """ from = "now-9m" -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "SMB (Windows File Sharing) Activity to the Internet" @@ -28,7 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and +(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and + network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index b1fa05a1f..fa1a06c6a 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -38,7 +38,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization +(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND + status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT + _exists_:http.request.headers.authorization ''' diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 14809d8b8..ad311c66b 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/01" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ authorized vulnerability scan or compromise assessment. """, ] -index = ["packetbeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "kuery" license = "Elastic License v2" name = "Abnormally Large DNS Response" @@ -59,17 +59,22 @@ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", - "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability", ] risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" severity = "medium" -tags = ["Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Use Case: Vulnerability"] +tags = [ + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Use Case: Vulnerability", +] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: network_traffic.dns and +(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000 ''' diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 0f0e3021d..7aab9f82d 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -24,13 +24,24 @@ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"] -timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and - process.Ext.effective_parent.name != null and - not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") +sequence with maxspan=1m +[process where host.os.type == "windows" and event.action == "start" and + ( + process.name : ( + "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", + "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe" + ) or + ( + (process.code_signature.trusted == false or process.code_signature.exists == false) and + (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) + ) + ) +] by process.executable +[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and + process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable ''' diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index cb08ce0d6..0621e9acd 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -59,9 +59,6 @@ Attackers can abuse this functionality in preparation for exfiltrating contents, - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", @@ -69,8 +66,16 @@ references = [ ] risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -104,3 +109,21 @@ id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 2cf82c64e..96c0e3b3d 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -70,13 +70,21 @@ type = "query" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" and - not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and - file.name:(*.psd1 or *.psm1)) + not ( + file.path : ( + ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* + ) and file.name:(*.psd1 or *.psm1) + ) ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index c2c92900e..3e08d0f6e 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/17" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,7 +53,11 @@ Attackers can use PowerShell to interact with the Windows API with the intent of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"] +risk_score = 47 +rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -71,9 +75,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"] -risk_score = 47 -rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -117,6 +118,11 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index f7e9a2d0e..00ac625f4 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ Attackers can abuse PowerShell capabilities to get the contents of the clipboard - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1", +] +risk_score = 47 +rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -73,12 +80,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1", -] -risk_score = 47 -rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -94,14 +95,20 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "]::GetText" or ".Paste()" - )) or powershell.file.script_block_text : "Get-Clipboard" - and not powershell.file.script_block_text : ( + )) or powershell.file.script_block_text : "Get-Clipboard" and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" - ) - and not user.id : "S-1-5-18" - and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1) - and not ( - file.path : *WindowsPowerShell*Modules*.ps1 and + ) and + not user.id : "S-1-5-18" and + not file.path : ( + ?\:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1 or + ?\:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 + ) and + not ( + file.path : ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1") ) ''' diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 4bac504b5..20d033f2b 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,7 +55,14 @@ Attackers can abuse PowerShell capabilities to capture user keystrokes with the - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", + "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1", +] +risk_score = 47 +rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -73,12 +80,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", - "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1", -] -risk_score = 47 -rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -128,6 +129,11 @@ name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index cc89a83a2..7846029f4 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -56,7 +56,14 @@ This rule identifies scripts that contains methods and classes that can be abuse - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1", +] +risk_score = 47 +rule_id = "a2d04374-187c-4fd9-b513-3ad4e7fdd67a" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -74,12 +81,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1", -] -risk_score = 47 -rule_id = "a2d04374-187c-4fd9-b513-3ad4e7fdd67a" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -97,7 +98,7 @@ event.category:process and host.os.type:windows and "Microsoft.Exchange.WebServices.Data.Folder" or "Microsoft.Exchange.WebServices.Data.FileAttachment" ) - ) + ) and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index fd02e08f6..9fc9c9127 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -54,7 +54,11 @@ Attackers can abuse PowerShell capabilities and take screen captures of desktops - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"] +risk_score = 47 +rule_id = "959a7353-1129-4aa7-9084-30746b256a70" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -72,9 +76,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"] -risk_score = 47 -rule_id = "959a7353-1129-4aa7-9084-30746b256a70" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 7f933702c..cddc0e844 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -50,13 +50,18 @@ These steps are usually done in preparation for exfiltration, meaning the attack - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -65,17 +70,24 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or - process.pe.original_file_name == "Command line RAR") and - process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) - - or - (process.pe.original_file_name in ("7z.exe", "7za.exe") and - process.args == "a" and process.args : ("-p*", "-sdel")) - - /* uncomment if noisy for backup software related FPs */ - /* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */ -) + ( + ( + process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or + process.pe.original_file_name == "Command line RAR" + ) and + process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") + ) or + ( + process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : "-p*" + ) +) and + not process.parent.executable : ( + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe", + "?:\\ManageEngine\\*\\jre\\bin\\java.exe", + "?:\\Nox\\bin\\Nox.exe" + ) ''' @@ -90,6 +102,11 @@ id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [rule.threat.tactic] diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index a30c10442..dc470f2b7 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -4,23 +4,23 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] description = """ -Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL. +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Potential Exfiltration via Certreq" +name = "Potential File Transfer via Certreq" references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -56,3 +56,16 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 5ab6009b7..2e6a01b59 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [transform] [[transform.osquery]] @@ -140,19 +140,24 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) and /* Insert noisy false positives here */ not ( - process.executable : ( - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\Windows\\System32\\WWAHost.exe", - "?:\\Windows\\System32\\smartscreen.exe", - "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", - "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", - "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", - "?:\\Windows\\system32\\mobsync.exe", - "?:\\Windows\\SysWOW64\\mobsync.exe" + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) and process.code_signature.trusted == true ) or /* Discord App */ @@ -168,6 +173,21 @@ network where host.os.type == "windows" and network.protocol == "dns" and /* Firefox */ (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and + process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com") + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") ) ) ''' @@ -180,6 +200,15 @@ id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" + + [[rule.threat.technique.subtechnique]] + id = "T1568.002" + name = "Domain Generation Algorithms" + reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index efecb7c2e..cb20e2c2f 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ may indicate command and control activity utilizing the DNS protocol. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" note = """## Triage and analysis @@ -64,10 +64,12 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ] -type = "threshold" +type = "eql" query = ''' -event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) +sequence by host.id with maxspan=5m +[process where host.os.type == "windows" and event.type == "start" and + process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 ''' @@ -82,14 +84,13 @@ id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[rule.threshold] -field = ["host.id"] -value = 15 - diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index b36e716f1..a1a30da97 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index f71f36778..3af1b9268 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/22" [rule] author = ["Elastic"] @@ -27,15 +27,20 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.action == "rename" and - -process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and - (file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and + process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and + (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or + file.Ext.header_bytes : "4d5a*") and - /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ - not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and + /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ + not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and - /* lot of third party SW use BITS to download executables with a long file name */ - not length(file.name) > 30 + /* lot of third party SW use BITS to download executables with a long file name */ + not length(file.name) > 30 and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" + ) ''' diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 223fcd12c..8f966609c 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -59,21 +59,27 @@ This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Service - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", ] risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", + "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -102,3 +108,15 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 51f99d833..6a0ca0440 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -52,19 +52,25 @@ This rule looks for command lines involving the `3389` port, which RDP uses by d - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"] risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", + "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -93,3 +99,20 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 59c928434..ad5c2304b 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -98,13 +98,18 @@ The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop i - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"] risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index b9300b4cf..0689cc5a1 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -92,9 +92,6 @@ The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", @@ -102,6 +99,14 @@ references = [ ] risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 6301f3c8a..19b82fd07 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/30" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via PowerShell" @@ -99,12 +99,19 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic type = "eql" query = ''' -sequence by host.id, process.entity_id with maxspan=30s - [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and - not user.domain : "NT AUTHORITY"] - [file where host.os.type == "windows" and process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and - not file.name : "__PSScriptPolicy*.ps1"] +sequence by process.entity_id with maxspan=30s + +[network where host.os.type == "windows" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and + not dns.question.name : ( + "localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", + "*.windowsupdate.com", "metadata.google.internal", "dist.nuget.org", + "artifacts.elastic.co", "*.digicert.com", "packages.chocolatey.org", + "outlook.office365.com" + ) and not user.id : "S-1-5-18"] +[file where host.os.type == "windows" and event.type == "creation" and + process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and + not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index e929bb25b..5c1845af6 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/13" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -96,7 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -121,3 +121,21 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 19b665790..3ad575dd8 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -91,13 +91,18 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"] risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", @@ -113,7 +118,15 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and - file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + ) and process.code_signature.trusted == true + ) ''' diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index 46aabe4b2..db0ed4795 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -93,13 +93,18 @@ This rule identifies potential password guessing/brute force activity from a sin - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "f9790abf-bd0c-45f9-8b5f-d0b74015e029" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 8d97b198d..efa9d7683 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -97,13 +97,18 @@ This rule identifies potential password guessing/brute force activity from a sin - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"] risk_score = 47 rule_id = "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index a288ce930..e4d0a5ffc 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -97,9 +97,6 @@ This rule identifies potential password guessing/brute force activity from a sin - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. """ references = [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", @@ -109,6 +106,10 @@ references = [ ] risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" +setup=""" + +- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert. +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index c128f9b2c..519816012 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -51,19 +51,25 @@ This rule looks for the execution of utilities that can extract credential data - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://lolbas-project.github.io/"] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", + "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -130,3 +136,21 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 53332e46e..cbc796d4e 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -18,10 +18,6 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "NTDS or SAM Database File Copied" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", @@ -29,6 +25,14 @@ references = [ ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -57,6 +61,11 @@ id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + [rule.threat.tactic] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 0d482c031..dcbb47c46 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/13" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -100,7 +100,7 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -118,9 +118,41 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" + + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.004" +name = "Windows Credential Manager" +reference = "https://attack.mitre.org/techniques/T1555/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 66e6a0f60..7acd66999 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/06/27" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,7 +55,18 @@ This rule monitors for when a Windows Event ID 4662 (Operation was performed on - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", +] +risk_score = 73 +rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" +setup=""" The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -71,18 +82,8 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -references = [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", - "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", - "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", -] -risk_score = 73 -rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" @@ -114,6 +115,24 @@ id = "TA0006" reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 20bf29c1e..128169a1f 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,7 +55,18 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", +] +risk_score = 73 +rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" +setup=""" The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -71,22 +82,13 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -references = [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", - "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", - "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", -] -risk_score = 73 -rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", + "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" @@ -113,7 +115,10 @@ any where event.action == "Directory Service Access" and /* The right to perform an operation controlled by an extended access right. */ and winlog.event_data.AccessMask : "0x100" and - not winlog.event_data.SubjectUserName : ("*$", "MSOL_*", "OpenDNS_Connector") + not winlog.event_data.SubjectUserName : ( + "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect", + "SyncADConnectCM", "aadsync", "svcAzureADSync", "-" + ) /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ ''' @@ -137,3 +142,23 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 0af7561c7..88a222227 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -46,7 +46,15 @@ AS-REP roasting is an attack against Kerberos for user accounts that do not requ - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", +] +risk_score = 47 +rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" +setup=""" The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -62,15 +70,8 @@ Account Management > Audit User Account Management (Success,Failure) ``` """ -references = [ - "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", -] -risk_score = 47 -rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" @@ -97,3 +98,38 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 6fb6503ee..9c694a6a0 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -21,9 +21,6 @@ note = """## Triage and analysis Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", @@ -31,6 +28,14 @@ references = [ ] risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index bc34a9e94..c349b2846 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,9 +53,6 @@ This rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, w - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", @@ -63,6 +60,14 @@ references = [ ] risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index dbf6baa69..7a83198eb 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,13 +18,17 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Service Account Password Dumped" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index e983409d5..048769189 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,16 +19,20 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", ] risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 8ab21f984..4c4471cb9 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/02" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -44,7 +44,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Kerberos Traffic from Unusual Process" @@ -101,54 +101,70 @@ Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` proce - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' -network where host.os.type == "windows" and event.type == "start" and network.direction : ("outgoing", "egress") and - destination.port == 88 and source.port >= 49152 and process.pid != 4 and - not process.executable : - ("?:\\Windows\\System32\\lsass.exe", - "System", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", - "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", - "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", - "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", - "?:\\Program Files (x86)\\SuperScan\\scanner.exe", - "?:\\Program Files (x86)\\Nmap\\nmap.exe", - "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", - "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", - "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", - "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", - "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", - "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", - "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", - "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", - "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", - "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", - "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", - "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", - "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", - "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", - "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", - "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", - "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", - "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "?:\\Program Files\\Mozilla Firefox\\firefox.exe", - "?:\\Program Files\\Internet Explorer\\iexplore.exe", - "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" - ) and +network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and + destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : "*" and + not + ( + process.executable : ( + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", + "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", + "?:\\Program Files\\Amazon Corretto\\jdk1*\\bin\\java.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Core\\tomcat-core\\bin\\tomcat9.exe", + "?:\\Program Files\\DBeaver\\dbeaver.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Oracle\\VirtualBox\\VirtualBoxVM.exe", + "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", + "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", + "?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortServer.exe", + "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", + "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", + "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", + "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", + "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", + "?:\\Program Files (x86)\\SAP BusinessObjects\\tomcat\\bin\\tomcat9.exe", + "?:\\Program Files (x86)\\SuperScan\\scanner.exe", + "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\SysWOW64\\vmnat.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "System" + ) and process.code_signature.trusted == true + ) and destination.address != "127.0.0.1" and destination.address != "::1" ''' diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 775a8278d..f4e5730c8 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,9 +17,14 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Access to a Sensitive LDAP Attribute" -note = """## Setup - -## Setup +references = [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", +] +risk_score = 47 +rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" +setup = """ The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -35,15 +40,8 @@ DS Access > Audit Directory Service Access (Success,Failure) ``` """ -references = [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", -] -risk_score = 47 -rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" @@ -82,9 +80,35 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 8deda4fd0..8b5579977 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,13 +18,17 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious LSASS Access via MalSecLogon" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"] risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 791113daf..6bec3a140 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Module Loaded by LSASS" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp" ] risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index c59aea7fa..e76d113f0 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -95,13 +95,18 @@ This rule looks for the creation of memory dump files with file names compatible - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"] risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", @@ -118,14 +123,28 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "windows" and file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and +file where host.os.type == "windows" and event.action != "deletion" and + file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and - not (process.executable : ("?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe", "?:\\Windows\\System32\\dllhost.exe") and - file.path : ("?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp", - "?:\\*\\Reporting Services\\Logfiles\\SQLDmpr*.mdmp")) and + not ( + process.executable : ( + "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe", + "?:\\Windows\\System32\\dllhost.exe" + ) and + file.path : ( + "?:\\*\\Reporting Services\\Logfiles\\SQLDmpr*.mdmp", + "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp", + "?:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\SQLDmpr*.mdmp" + ) + ) and - not (process.executable : "?:\\WINDOWS\\system32\\WerFault.exe" and - file.path : "?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\lsass.exe.*.dmp") + not ( + process.executable : "?:\\Windows\\system32\\WerFault.exe" and + file.path : ( + "?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\lsass.exe.*.dmp", + "?:\\Windows\\System32\\%LOCALAPPDATA%\\CrashDumps\\lsass.exe.*.dmp" + ) + ) ''' diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 82a20bdce..031caee24 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -97,7 +97,18 @@ Adversaries may attempt to access credential material stored in LSASS process me - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 73 +rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" +setup=""" Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) @@ -116,18 +127,13 @@ Audit Handle Manipulation (Success,Failure) Also, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights. -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ -references = [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", - "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", - "https://attack.mitre.org/techniques/T1003/001/", - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "http://findingbad.blogspot.com/2017/", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 73 -rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" + severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" @@ -156,7 +162,8 @@ any where event.action == "File System" and event.code == "4656" and "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", - "?:\\Windows\\explorer.exe") + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\poqexec.exe") ''' diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 218eba17e..3e1398669 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." min_stack_version = "8.7.0" -updated_date = "2023/08/28" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -20,38 +20,54 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' api where host.os.type == "windows" and - process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and - not process.executable : - ("?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", - "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", - "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", - "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", - "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", - "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", - "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", - "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", - "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", - "?:\\Windows\\System32\\MRT.exe", - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", - "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", - "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", - "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", - "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", - "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", - "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", - "?:\\Program Files\\Huntress\\HuntressAgent.exe", - "?:\\Program Files (x86)\\eScan\\reload.exe", - "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe") + process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and + not + ( + process.executable : ( + "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", + "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", + "?:\\Program Files (x86)\\eScan\\reload.exe", + "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", + "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe", + "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", + "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", + "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", + "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", + "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", + "?:\\Program Files\\Huntress\\HuntressAgent.exe", + "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", + "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", + "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe", + "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", + "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe", + "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\System32\\csrss.exe", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\RtkAudUService64.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" + ) and process.code_signature.trusted == true + ) ''' @@ -72,3 +88,17 @@ reference = "https://attack.mitre.org/techniques/T1003/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 08e5324ca..f1bb4e0f7 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,13 +55,18 @@ This rule looks for the creation of a file named `mimilsa.log`, which is generat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index d5c164318..8a105168d 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -64,7 +64,15 @@ More information about Mimikatz components and how to detect/prevent them can be - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 73 +rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" +setup=""" The 'PowerShell Script Block Logging' logging policy must be configured (Enable). @@ -83,13 +91,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://attack.mitre.org/software/S0002/", - "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 73 -rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index f3cefe661..680a532e6 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -62,9 +62,6 @@ Still, attackers can force WDigest to store the passwords insecurely on the memo - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", @@ -74,6 +71,14 @@ references = [ ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7f7e06ef9..7c2c43dc8 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -72,7 +72,13 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and /* regf file header */ file.Ext.header_bytes : "72656766*" and file.size >= 30000 and - process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and + not file.path : ( + "?:\\*\\UPM_Profile\\NTUSER.DAT", + "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD", + "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg", + "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" + ) ''' diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 5e7a9982d..9a8c4ebe6 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -31,18 +31,24 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where host.os.type == "windows" and registry.data.strings != null and - registry.path : ( +registry where host.os.type == "windows" and registry.data.strings : "?*" and + registry.path : ( "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath", "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" - ) and - /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ - not ( user.id : "S-1-5-18" and - registry.data.strings in - ("%SystemRoot%\\System32\\ntlanman.dll", - "%SystemRoot%\\System32\\drprov.dll", - "%SystemRoot%\\System32\\davclnt.dll") - ) + ) and + /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ + not ( + user.id : "S-1-5-18" and + registry.data.strings : ( + "%SystemRoot%\\System32\\ntlanman.dll", + "%SystemRoot%\\System32\\drprov.dll", + "%SystemRoot%\\System32\\davclnt.dll", + "%SystemRoot%\\System32\\vmhgfs.dll", + "?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll", + "?:\\Program Files\\Dell\\SARemediation\\agent\\DellMgmtNP.dll", + "?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\\\epcgina.dll" + ) + ) ''' diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 1eea7bc0f..3c7a56012 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/26" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,7 +17,12 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Kerberos Ticket Dump" -note = """## Setup +references = [ + "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", +] +risk_score = 47 +rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -35,11 +40,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", -] -risk_score = 47 -rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 4cabc039c..5b6e4abf1 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -54,7 +54,15 @@ Attackers can abuse Process Memory Dump capabilities to extract credentials from - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 73 +rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -72,13 +80,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", - "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 73 -rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 6e562f4ff..8004a068b 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -51,7 +51,14 @@ Attackers can use PowerShell to request these Kerberos tickets, with the intent - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", +] +risk_score = 47 +rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -69,12 +76,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", -] -risk_score = 47 -rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -84,9 +85,9 @@ query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( KerberosRequestorSecurityToken - ) and not user.id : "S-1-5-18" - and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) and not user.id : ("S-1-5-18" or "S-1-5-20") and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs") ) ''' diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 523ae4f9f..82c05f660 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via DuplicateHandle in LSASS" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 8ed4a77c0..48f80ec0c 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -54,3 +54,19 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 3383e7334..f9dde3bf8 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/03/01" -integration = ["endpoint", "system", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/21" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies remote access to the registry to potentially dump credential data fro registry hive in preparation for credential access and privileges elevation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Credential Access via Registry" @@ -52,11 +52,6 @@ Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry - Ensure that the machine has the latest security updates and is not running unsupported Windows versions. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", @@ -64,6 +59,16 @@ references = [ ] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" +setup=""" + +This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index be0e6de82..725523a49 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Multiple Vault Web Credentials Read" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index a5995dc5b..898e1f7fe 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,10 +18,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", @@ -29,6 +25,14 @@ references = [ ] risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 6681183be..cb2e9af8a 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -52,7 +52,17 @@ It is critical to control the assignment of this privilege. A user with this pri - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", + "https://twitter.com/_nwodtuhs/status/1454049485080907776", + "https://www.thehacker.recipes/ad/movement/kerberos/delegations", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md", +] +risk_score = 73 +rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" +setup=""" The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -67,21 +77,13 @@ Policy Change > Audit Authorization Policy Change (Success,Failure) ``` """ -references = [ - "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", - "https://twitter.com/_nwodtuhs/status/1454049485080907776", - "https://www.thehacker.recipes/ad/movement/kerberos/delegations", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md", -] -risk_score = 73 -rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", + "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" @@ -98,6 +100,11 @@ event.action:"Authorization Policy Change" and event.code:4704 and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -105,6 +112,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 408d46122..c9959825c 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,7 +55,16 @@ Attackers with write privileges on this attribute over an object can abuse it to - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", +] +risk_score = 73 +rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" +setup=""" The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -78,14 +87,6 @@ As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to b Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success ``` """ -references = [ - "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", - "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", - "https://github.com/OTRF/Set-AuditRule", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", -] -risk_score = 73 -rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index d4d7e09e8..899a7184c 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -52,7 +52,18 @@ Attackers can also perform "Targeted Kerberoasting", which consists of adding fa - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", + "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", + "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", + "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", + "https://adsecurity.org/?p=280", + "https://github.com/OTRF/Set-AuditRule", +] +risk_score = 73 +rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" +setup=""" The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -75,16 +86,6 @@ As this specifies the servicePrincipalName Attribute GUID, it is expected to be Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success ``` """ -references = [ - "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", - "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", - "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", - "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", - "https://adsecurity.org/?p=280", - "https://github.com/OTRF/Set-AuditRule", -] -risk_score = 73 -rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" severity = "high" tags = [ "Domain: Endpoint", @@ -100,6 +101,7 @@ type = "query" query = ''' event.action:"Directory Service Changes" and event.code:5136 and + winlog.event_data.OperationType:"%%14674" and winlog.event_data.ObjectClass:"user" and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" ''' diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 13e9e04c1..934de556a 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,15 +18,16 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Renamed COM+ Services DLL" -note = """## Setup - -You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original -File Name.""" references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"] risk_score = 73 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef" +setup = """ + +You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original +File Name. +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon Only"] type = "eql" query = ''' @@ -58,3 +59,21 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index 1ceea773f..189c8834e 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -16,12 +16,16 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Lsass Process Access" -note = """## Setup -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"] risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" +setup = """ +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" @@ -33,20 +37,25 @@ process where host.os.type == "windows" and event.code == "10" and not winlog.event_data.GrantedAccess : ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and - not process.executable : - ("?:\\Windows\\System32\\lsm.exe", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\CCM\\CcmExec.exe", - "?:\\Windows\\system32\\csrss.exe", - "?:\\Windows\\system32\\wininit.exe", - "?:\\Windows\\system32\\wbem\\wmiprvse.exe", - "?:\\Windows\\system32\\MRT.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", - "?:\\ProgramData\\WebEx\\webex\\*", - "?:\\Windows\\LTSvc\\LTSVC.exe") and - not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") + not process.executable : ( + "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", + "?:\\ProgramData\\WebEx\\webex\\*", + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\LTSvc\\LTSVC.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\system32\\csrss.exe", + "?:\\Windows\\System32\\lsm.exe", + "?:\\Windows\\system32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\system32\\wbem\\wmiprvse.exe", + "?:\\Windows\\system32\\wininit.exe", + "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe", + "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe" + ) and + not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ad11964ba..04bb7f0d5 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via LSASS Memory Dump" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" @@ -40,7 +44,11 @@ process where host.os.type == "windows" and event.code == "10" and winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and /* case of lsass crashing */ - not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") + not process.executable : ( + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe" + ) ''' @@ -62,3 +70,17 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index ff5beb14c..d3c14edce 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,17 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Potential LSASS Memory Dump via PssCaptureSnapShot" -note = """## Setup - -This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold -rule cardinality feature.""" references = [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en", ] risk_score = 73 rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" +setup = """ + +This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold +rule cardinality feature. +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 8e7754b7c..c1e1398cd 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -48,7 +48,15 @@ This rule identifies remote access to the registry using an account with Backup - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" +setup=""" The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -76,13 +84,6 @@ Logon/Logoff > Special Logon (Success) ``` """ -references = [ - "https://github.com/mpgn/BackupOperatorToDA", - "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" @@ -109,6 +110,10 @@ id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" [rule.threat.tactic] diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 27144441b..e1d3a90d3 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -56,7 +56,16 @@ Shadow copies are backups or snapshots of an endpoint's files or volumes while t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/", +] +risk_score = 47 +rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" +setup=""" Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) @@ -76,16 +85,12 @@ Audit Handle Manipulation (Success,Failure) This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ -references = [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", - "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", - "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", - "https://www.hackingarticles.in/credential-dumping-ntds-dit/", -] -risk_score = 47 -rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" severity = "medium" tags = [ "Domain: Endpoint", @@ -114,6 +119,15 @@ framework = "MITRE ATT&CK" id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" [rule.threat.tactic] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index c8411f5ae..44fa933a5 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential LSASS Clone Creation via PssCaptureSnapShot" -note = """## Setup - -This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2", ] risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" +setup = """ + +This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 2e3f8f645..2a405d0cf 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -95,7 +95,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" @@ -122,6 +122,15 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 5866c90e3..713554bfa 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -67,9 +67,6 @@ This rule monitors the modifications to the Software\\Microsoft\\Windows Script\ - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", @@ -77,6 +74,14 @@ references = [ ] risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", @@ -112,6 +117,10 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 6bcb26103..d1d098db3 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Austin Songer"] @@ -48,9 +48,6 @@ Attackers can try to cover their tracks by clearing PowerShell console history. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", @@ -59,12 +56,21 @@ references = [ ] risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -99,3 +105,22 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 18023638b..324fa7d92 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -49,12 +49,17 @@ This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-Ev - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = [ "Domain: Endpoint", @@ -94,6 +99,10 @@ id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.002" +name = "Disable Windows Event Logging" +reference = "https://attack.mitre.org/techniques/T1562/002/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 0e1bb8b63..e53afbb08 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -114,7 +114,10 @@ id = "T1553.006" name = "Code Signing Policy Modification" reference = "https://attack.mitre.org/techniques/T1553/006/" - +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index c97cfbea2..9b7d9ebe7 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -64,9 +64,6 @@ This rule identifies the creation or modification of a root certificate by monit - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", @@ -74,6 +71,14 @@ references = [ ] risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 1e35df61a..d54207652 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -54,13 +54,18 @@ This rule monitors the registry for configurations that disable Windows Defender - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = [ "Domain: Endpoint", @@ -116,6 +121,10 @@ id = "T1562.006" name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index c7fca7156..2850893ae 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -64,15 +64,20 @@ Microsoft Windows Defender is an antivirus product built into Microsoft Windows. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 8aa170a3d..b3d7e1c4b 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -95,6 +95,10 @@ id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 566e8931b..25f6a75a6 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -47,12 +47,17 @@ This rule identifies patterns related to disabling the Windows firewall or its r - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index c7f57e82e..86cb361e1 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -52,21 +52,27 @@ This rule monitors the execution of commands that can tamper the Windows Defende - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -99,3 +105,21 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index f7c000537..799cb062c 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -48,9 +48,6 @@ This rule looks for the usage of different utilities to disable the EventLog ser - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", @@ -58,6 +55,14 @@ references = [ ] risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = [ "Domain: Endpoint", @@ -102,6 +107,12 @@ reference = "https://attack.mitre.org/techniques/T1070/001/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.002" +name = "Disable Windows Event Logging" +reference = "https://attack.mitre.org/techniques/T1562/002/" + [[rule.threat.technique.subtechnique]] id = "T1562.006" name = "Indicator Blocking" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index cdd2c77a2..d2e57afe8 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Austin Songer"] @@ -18,16 +18,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "DNS-over-HTTPS Enabled via Registry" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", ] risk_score = 21 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -51,6 +55,11 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 8a41f8898..61a1ad7c7 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -4,24 +4,31 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] -description = "Identifies suspicious .NET code execution. connections." +description = """ +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt +to compile code after delivery in order to bypass security mechanisms. +""" from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -50,3 +57,22 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index dbaf9f9fa..167099248 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,12 +53,17 @@ This rule detects the creation of a Windows Firewall inbound rule that would all - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 153a80b30..d0d5927b4 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -49,12 +49,17 @@ Attackers can enable Network Discovery on the Windows firewall to find other sys - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 3beaffd08..6a4883a2e 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,26 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index d2d7937ff..05a1d131a 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,26 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "ImageLoad via Windows Update Auto Update Client" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 68ece95a1..e626be02a 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -73,19 +73,25 @@ This rule looks for the `Msbuild.exe` utility spawned by MS Office programs. Thi - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 7de464722..ab0090d54 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -14,41 +14,51 @@ behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and - process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -56,8 +66,34 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.name", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 0c6c03912..6e2ded627 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,14 +18,25 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 3e512129e..d5a420922 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -94,18 +94,24 @@ This rule checks for renamed instances of MSBuild, which can indicate an attempt - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend" @@ -131,6 +137,15 @@ id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 86fcdc731..3c28b88ce 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,9 +2,9 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,40 +19,60 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] + timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.parent.name : "MSBuild.exe" and - process.name : ("csc.exe", "iexplore.exe", "powershell.exe") +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and +process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] @@ -60,3 +80,10 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.name", "process.parent.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 414fc58c5..6f225628d 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,26 @@ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Potential DLL SideLoading via Trusted Microsoft Programs" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" +name = "Potential DLL Side-Loading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -50,6 +61,16 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.002" +name = "DLL Side-Loading" +reference = "https://attack.mitre.org/techniques/T1574/002/" + + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index dce462621..947f179c3 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Dennis Perto"] @@ -19,17 +19,28 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/", ] risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index b661bcc2e..2cea69c4c 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 4aa169d97..5ed51671d 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 11ea3faaf..edfe9668d 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -52,12 +52,17 @@ This rule monitors commands that disable IIS logging. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 3211a75db..23b432f69 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "query" @@ -36,6 +36,15 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index f574bbc77..8952dee12 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -47,6 +51,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml similarity index 81% rename from rules_building_block/defense_evasion_masquerading_communication_apps.toml rename to rules/windows/defense_evasion_masquerading_communication_apps.toml index 12910048e..aac5dce5c 100644 --- a/rules_building_block/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/15" -bypass_bbr_timing = true +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -18,12 +17,11 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Masquerading as Communication Apps" -risk_score = 21 +risk_score = 47 rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" -severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -97,9 +95,32 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 78f90e748..f89ab8060 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -93,12 +93,17 @@ This rule checks for renamed instances of AutoIt, which can indicate an attempt - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index e890786bb..bb0d0abc1 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,10 +18,6 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", @@ -30,8 +26,16 @@ references = [ ] risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -60,3 +64,42 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index d7441c5ea..0d71ea1ff 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 37bc0e9d8..fb1853613 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -122,6 +122,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index a2abaed01..28e126147 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Austin Songer"] @@ -55,9 +55,6 @@ This rule monitors the registry for modifications that disable Windows Defender - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", @@ -71,6 +68,14 @@ references = [ ] risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -116,6 +121,10 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index d0b6fe2f8..b25ab856f 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -130,11 +130,4 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 74bbdc02f..f0adc54b4 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -66,12 +66,17 @@ This rule looks for registry changes affecting the conditions above. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1cdc5e564..8ab001370 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -164,7 +164,25 @@ framework = "MITRE ATT&CK" id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 3174bda50..c7390f8df 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -85,3 +85,22 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.004" +name = "Parent PID Spoofing" +reference = "https://attack.mitre.org/techniques/T1134/004/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index b42d3a944..4fc06cc17 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", - "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ] @@ -53,26 +53,33 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" [[rule.threat.technique.subtechnique]] -id = "T1078.003" -name = "Local Accounts" -reference = "https://attack.mitre.org/techniques/T1078/003/" +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" [rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index d64c30893..2f7b934e9 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/07/05" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -102,7 +102,11 @@ Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"] +risk_score = 47 +rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -120,11 +124,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"] -risk_score = 47 -rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -148,6 +149,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 89c00a98a..ea3c5c53b 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -103,7 +103,10 @@ Attackers can embed compressed and encoded payloads in scripts to load directly - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +risk_score = 47 +rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -121,8 +124,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -risk_score = 47 -rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -138,10 +139,9 @@ event.category:process and host.os.type:windows and "IO.Compression.GzipStream" ) and FromBase64String - ) and not - (user.id:("S-1-5-18" or "S-1-5-19") and - file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") - and not user.id : "S-1-5-18" + ) and + not file.path: ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* and + not user.id : "S-1-5-18" ''' diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 94323cd13..4eb1d0cb0 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -56,7 +56,16 @@ Red Team tooling and malware developers take advantage of these capabilities to - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access", +] +risk_score = 47 +rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -74,16 +83,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", - "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -123,3 +124,26 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 311ae1508..42ca4b25d 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Austin Songer"] @@ -57,9 +57,6 @@ This rule identifies patterns related to disabling the Windows firewall or its r - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", @@ -69,12 +66,21 @@ references = [ ] risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -109,3 +115,21 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 92101aef0..3c844a402 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -117,6 +117,16 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 06edc6771..df9720034 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,20 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", ] risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 153c1472b..22cfee419 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,15 +18,19 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"] risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -57,3 +61,22 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 771bce007..9c5d38800 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ This rule identifies file name patterns generated by the use of SDelete utility risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -79,3 +79,17 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 3c6640ade..82893f451 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,17 +17,21 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", ] risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -60,6 +64,10 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index d847c63aa..dd3fe6054 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from a Mounted Device" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", ] risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -74,11 +78,17 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 312e75f48..faba440c8 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ sequence by process.entity_id with maxspan=5m process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] [file where host.os.type == "windows" and event.type != "deletion" and file.name : ("wscript.exe.log", - "cscript.exe", + "cscript.exe.log", "mshta.exe.log", "wmic.exe.log", "svchost.exe.log", diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 35c16deba..261c92064 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." min_stack_version = "8.8.0" -updated_date = "2023/06/29" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -98,9 +98,6 @@ This rule identifies suspicious process access events from an unknown memory reg - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://twitter.com/SBousseaden/status/1278013896440324096", @@ -108,8 +105,16 @@ references = [ ] risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" @@ -150,3 +155,17 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index ed257d4d9..492c42905 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -57,6 +57,11 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + [rule.threat.tactic] id = "TA0005" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 5fdac9e42..a705510e2 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -47,3 +47,16 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 2406aaa28..df0074f11 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -97,7 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -125,3 +125,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index f9fa390e8..9f35c66e0 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -93,18 +93,24 @@ This rule looks for the creation of executable files done by system-critical pro - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", + "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -140,3 +146,16 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 4409d1b61..347503504 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,9 +2,9 @@ creation_date = "2022/11/22" maturity = "production" integration = ["endpoint"] -min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Side-Loading from a Suspicious Folder" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -118,6 +122,16 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 8bc2df3e6..14d4c7a5a 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [transform] [[transform.osquery]] @@ -109,17 +109,17 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1553" -name = "Subvert Trust Controls" -reference = "https://attack.mitre.org/techniques/T1553/" +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] -id = "T1553.006" -name = "Code Signing Policy Modification" -reference = "https://attack.mitre.org/techniques/T1553/006/" - - +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 23803b6f5..f0d6f96bc 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/17" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -99,12 +99,17 @@ Attackers can abuse these alternate data streams to hide malicious files, string - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index d652d66f0..a2ec539c7 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 6505482cc..e908eafc5 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -14,12 +14,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index b9aa644a1..fdfa9ffaa 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -48,9 +48,6 @@ disk from a separate binary. - Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders. - Confirm with the user whether this was expected or not, and reset their password. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", @@ -59,6 +56,14 @@ references = [ ] risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 94fc037d5..b50a6d7c5 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,9 +53,6 @@ note = """## Triage and analysis - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "http://www.joeware.net/freetools/tools/adfind/", @@ -67,6 +64,14 @@ references = [ ] risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -117,6 +122,10 @@ id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 309acb7d0..885890710 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -49,14 +49,26 @@ This rule looks for the execution of the `net` and `wmic` utilities to enumerate - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -74,42 +86,43 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and process.args : ("group", "useraccount")) -) +) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 276c86291..0b1d7512b 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -46,14 +46,19 @@ This rule looks for the execution of account discovery utilities using the SYSTE - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - Use the data collected through the analysis to investigate other machines affected in the environment. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -79,3 +84,21 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 7b337ff65..b730a1526 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/27" +updated_date = "2023/09/14" [rule] author = ["Elastic"] @@ -62,7 +62,14 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -71,16 +78,20 @@ process where host.os.type == "windows" and event.type == "start" and process.name : "nltest.exe" and process.args : ( "/DCLIST:*", "/DCNAME:*", "/DSGET*", "/LSAQUERYFTI:*", "/PARENTDOMAIN", - "/DOMAIN_TRUSTS", "/BDC_QUERY:*") + "/DOMAIN_TRUSTS", "/BDC_QUERY:*" + ) and +not process.parent.name : "PDQInventoryScanner.exe" and +not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -90,4 +101,3 @@ reference = "https://attack.mitre.org/techniques/T1018/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index e36832140..e79a17c2b 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -46,12 +46,17 @@ This rule looks for the execution of the `fsutil` utility with the `fsinfo` subc - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index 3a9dfda52..c5f92588f 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -50,7 +50,15 @@ Attackers can use PowerShell to enumerate shares to search for sensitive data li - Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 47 +rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" +setup=""" The 'PowerShell Script Block Logging' logging policy must be configured (Enable). @@ -69,15 +77,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 47 -rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -133,3 +134,16 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index fc16b4a71..0bc58e347 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,7 +53,14 @@ Attackers can use PowerShell to interact with the Win32 API to bypass command li - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 47 +rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -71,14 +78,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 47 -rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -172,3 +173,17 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 17764a8ba..6fedf5fdb 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,9 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = """ @@ -40,7 +39,7 @@ Administrators or Remote Desktop users. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" note = """## Triage and analysis @@ -89,7 +88,10 @@ This rule looks for the enumeration of privileged local groups' membership by su - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +risk_score = 47 +rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" +setup=""" The 'Audit Security Group Management' audit policy must be configured (Success). Steps to implement the logging policy with with Advanced Audit Configuration: @@ -107,80 +109,88 @@ Audit Security Group Management (Success) Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems. -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ -risk_score = 47 -rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -iam where event.action == "user-member-enumerated" and - - /* excluding machine account */ - not winlog.event_data.SubjectUserName: ("*$", "LOCAL SERVICE", "NETWORK SERVICE") and - - /* noisy and usual legit processes excluded */ - not winlog.event_data.CallerProcessName: - ("-", - "?:\\Windows\\System32\\VSSVC.exe", - "?:\\Windows\\System32\\SearchIndexer.exe", - "?:\\Windows\\System32\\CompatTelRunner.exe", - "?:\\Windows\\System32\\oobe\\msoobe.exe", - "?:\\Windows\\System32\\net1.exe", - "?:\\Windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\Netplwiz.exe", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\SysWOW64\\msiexec.exe", - "?:\\Windows\\System32\\CloudExperienceHostBroker.exe", - "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\System32\\SrTasks.exe", - "?:\\Windows\\System32\\lsass.exe", - "?:\\Windows\\System32\\diskshadow.exe", - "?:\\Windows\\System32\\dfsrs.exe", - "?:\\Program Files\\*.exe", - "?:\\Program Files (x86)\\*.exe", - "?:\\WindowsAzure\\*\\WaAppAgent.exe", - "?:\\Windows\\System32\\vssadmin.exe", - "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", - "?:\\Windows\\System32\\dllhost.exe", - "?:\\Windows\\System32\\mmc.exe", - "?:\\Windows\\System32\\SettingSyncHost.exe", - "?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", - "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", - "?:\\Windows\\Temp\\rubrik_vmware???\\snaptool.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\$WINDOWS.~BT\\Sources\\*.exe", - "?:\\Windows\\System32\\wsmprovhost.exe", - "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\x3jobt3?.exe", - "?:\\Windows\\System32\\mstsc.exe", - "?:\\Windows\\System32\\esentutl.exe", - "?:\\Windows\\System32\\RecoveryDrive.exe", - "?:\\Windows\\System32\\SystemPropertiesComputerName.exe") and - - /* privileged local groups */ - (group.name:("*admin*","RemoteDesktopUsers") or - winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555")) +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and + ( + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") + ) and + not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or + winlog.event_data.CallerProcessName:("-" or + *\:\\\\Windows\\\\System32\\\\VSSVC.exe or + *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + *\:\\\\Windows\\\\System32\\\\net1.exe or + *\:\\\\Windows\\\\System32\\\\svchost.exe or + *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + *\:\\\\Windows\\\\System32\\\\msiexec.exe or + *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + *\:\\\\Windows\\\\System32\\\\SrTasks.exe or + *\:\\\\Windows\\\\System32\\\\diskshadow.exe or + *\:\\\\Windows\\\\System32\\\\dfsrs.exe or + *\:\\\\Windows\\\\System32\\\\vssadmin.exe or + *\:\\\\Windows\\\\System32\\\\dllhost.exe or + *\:\\\\Windows\\\\System32\\\\mmc.exe or + *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + *\:\\\\Windows\\\\System32\\\\mstsc.exe or + *\:\\\\Windows\\\\System32\\\\esentutl.exe or + *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe + ) + ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml new file mode 100644 index 000000000..f6108af2a --- /dev/null +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/09/22" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.command_line entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Signal Alert with Unusual Process Command Line" +risk_score = 21 +rule_id = "29ef5686-9b93-433e-91b5-683911094698" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml new file mode 100644 index 000000000..f42418688 --- /dev/null +++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2023/09/22" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/22" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id, user.id and process.executable entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Signal Alert with Unusual Process Executable" +risk_score = 21 +rule_id = "72ed9140-fe9d-4a34-a026-75b50e484b17" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:"1d72d014-e2ab-4707-b056-9b96abe7b511" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index dcccd0c20..52028b477 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -55,12 +55,17 @@ This rule looks for the execution of the `whoami` utility. Attackers commonly us - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 7f0913897..fbadfaebf 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc", ] risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -52,6 +56,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index bf4cc721f..74e51e0b7 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc", ] risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index d1cd2a58d..c503a2871 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", ] risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index de9784d6e..010d9dfb2 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,9 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -31,13 +31,12 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ - [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] -language = "eql" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" name = "Svchost spawning Cmd" note = """## Triage and analysis @@ -90,57 +89,55 @@ This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747", ] risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - - process.parent.name : "svchost.exe" and process.name : "cmd.exe" and - - not process.args : - ("??:\\Program Files\\Npcap\\CheckStatus.bat?", - "?:\\Program Files\\Npcap\\CheckStatus.bat", - "\\system32\\cleanmgr.exe", - "?:\\Windows\\system32\\silcollector.cmd", - "\\system32\\AppHostRegistrationVerifier.exe", - "\\system32\\ServerManagerLauncher.exe", - "dir", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\LSDeployment\\Lspush.exe", - "(x86)\\FMAuditOnsite\\watchdog.bat", - "?:\\ProgramData\\chocolatey\\bin\\choco-upgrade-all.bat", - "Files\\Npcap\\CheckStatus.bat") and - - /* very noisy pattern - bat or cmd script executed via scheduled tasks */ - not (process.parent.args : "netsvcs" and process.args : ("?:\\*.bat", "?:\\*.cmd")) +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and +process.name.caseless:"cmd.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.command_line", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index f5c6bef24..7f7664d35 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -14,12 +14,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 8f63f159e..f305b49fb 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -15,14 +15,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -70,3 +74,22 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index ef6f9c1b7..a8859e609 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,24 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -55,24 +65,30 @@ process where host.os.type == "windows" and event.type == "start" and "tracert.exe", "whoami.exe" ) and - process.parent.name:"wmiprvse.exe" + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -92,6 +108,7 @@ reference = "https://attack.mitre.org/techniques/T1518/" id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" @@ -106,4 +123,3 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index d2ef500f5..d832bc27c 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -94,12 +94,17 @@ This rule looks for the execution of scripts from unusual directories. Attackers - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 581098701..48aa8a50a 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/19" [rule] author = ["Elastic"] @@ -68,7 +68,14 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' @@ -83,10 +90,11 @@ sequence with maxspan=2h process.name : "MSPUB.EXE" or process.name : "MSACCESS.EXE") ] by host.id, file.path - [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + [process where host.os.type == "windows" and event.type == "start" and + not (process.name : "NewOutlookInstaller.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ] by host.id, process.executable ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -94,12 +102,15 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -110,10 +121,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index c80403035..fdbdf5c49 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/07/17" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -17,7 +17,13 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Potential PowerShell HackTool Script by Function Names" -note = """## Setup +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" +] +risk_score = 47 +rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -35,12 +41,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", - "https://github.com/BC-SECURITY/Empire" -] -risk_score = 47 -rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -224,10 +224,11 @@ event.category:process and host.os.type:windows and "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" - ) - and not powershell.file.script_block_text : ( + ) and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" - ) + ) and + not user.id : ("S-1-5-18" or "S-1-5-19") ''' diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index aaf299a29..feefe8279 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -101,7 +101,13 @@ Attackers can abuse PowerShell in-memory capabilities to inject executables into - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 47 +rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" +setup=""" The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: @@ -119,13 +125,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 47 -rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" @@ -155,3 +156,16 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 947263e11..a5332cf2d 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -110,7 +110,14 @@ Detecting the core implementation of PSReflect means detecting most of the tooli - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 47 +rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" +setup=""" The 'PowerShell Script Block Logging' logging policy must be configured (Enable). @@ -129,12 +136,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 47 -rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -152,7 +153,9 @@ event.category:process and host.os.type:windows and "Reflection.Emit.OpCodes" or "Reflection.Emit.CustomAttributeBuilder" or "Runtime.InteropServices.DllImportAttribute" - ) and not user.id : "S-1-5-18" + ) and + not user.id : "S-1-5-18" and + not file.path : ?\:\\\\ProgramData\\\\MaaS360\\\\Cloud?Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1* ''' diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index f1ff0df28..b927a906c 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -98,6 +98,21 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 7859246f9..467b9abed 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -105,7 +105,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -139,6 +139,12 @@ framework = "MITRE ATT&CK" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index e0354c190..c70c0b9d0 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -45,6 +45,14 @@ reference = "https://attack.mitre.org/techniques/T1053/" id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 79c5f8334..ae4376814 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -22,13 +22,18 @@ note = """## Triage and analysis The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 200bd74c1..41a514ec9 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -43,6 +47,16 @@ name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index a363a06e7..df7c585b5 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,15 +18,19 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", ] risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 6513bafd4..4fa9bc8e8 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -65,14 +65,19 @@ This rule looks for commonly abused built-in utilities spawned by a PDF reader p - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -96,9 +101,9 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1204" -name = "User Execution" -reference = "https://attack.mitre.org/techniques/T1204/" +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] @@ -106,3 +111,19 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 31d26f7e6..d838855cc 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/29" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/20" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" note = """## Triage and analysis @@ -63,56 +63,47 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -library where host.os.type == "windows" and - dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and - not - ( - /* MS Signed Binaries */ - ( - process.code_signature.subject_name : ( - "Microsoft Windows", - "Microsoft Dynamic Code Publisher", - "Microsoft Corporation" - ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe") - ) or - - /* Signed Executables from the Program Files folder */ - ( - process.executable : ( - "?:\\Program Files (x86)\\*.exe", - "?:\\Program Files\\*.exe" - ) and process.code_signature.trusted == true - ) or - - /* Lenovo */ - ( - process.executable : ( - "?:\\Windows\\Lenovo\\*.exe" - ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) - ) - ) +host.os.type:windows and event.category:library and + dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and + not (process.code_signature.subject_name:("Microsoft Corporation" or "Microsoft Dynamic Code Publisher" or "Microsoft Windows") and process.code_signature.trusted:true and not process.name.caseless:("regsvr32.exe" or "rundll32.exe")) and + not (process.executable.caseless:(?\:\\\\Program?Files?\(x86\)\\\\*.exe or ?\:\\\\Program?Files\\\\*.exe) and process.code_signature.trusted:true) and + not (process.executable.caseless:?\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:"Lenovo" and + process.code_signature.trusted:true) and not process.executable.caseless : "C:\\Windows\\System32\\powershell.exe" ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 9d558f377..5b29e6018 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" note = """## Triage and analysis -### Investigating PsExec Network Connection +### Investigating Suspicious Process Execution via Renamed PsExec Executable PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections. @@ -48,14 +48,27 @@ This rule identifies instances where the PsExec service component is executed us - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" @@ -64,22 +77,39 @@ process where host.os.type == "windows" and event.type == "start" and process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename System Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 2917eaf49..b2055e51e 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -108,12 +108,17 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 73662fe38..0b3d4e314 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -65,17 +65,22 @@ Attackers often rely on custom shell implementations to avoid using built-in com - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html", ] risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -104,3 +109,29 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index a337f558c..1dac9da4a 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -59,13 +59,18 @@ This rule identifies file deletions performed by a process that does not belong - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"] risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -99,6 +104,10 @@ id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 2891f1b5f..ff44a981c 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -56,12 +56,17 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -81,6 +86,11 @@ id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index f9559a9af..eff922231 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -56,12 +56,17 @@ These are common steps in destructive attacks by adversaries leveraging ransomwa - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 020a629a9..a26440e37 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -75,12 +75,17 @@ This rule monitors the execution of Vssadmin.exe to either delete or resize shad - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 8f26fbd35..db00af32e 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -74,9 +74,6 @@ This rule monitors the execution of PowerShell cmdlets to interact with the Win3 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", @@ -85,8 +82,16 @@ references = [ ] risk_score = 73 rule_id = "d99a037b-c8e2-47a5-97b9-170d076827c4" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -112,3 +117,21 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 2c2d66f71..53312c4d5 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -75,14 +75,19 @@ This rule monitors the execution of `wmic.exe` to interact with VSS via the `sha - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -106,3 +111,17 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index ffbb3aa72..a02c75d86 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious HTML File Creation" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 2d99fa24f..a2dd1d97e 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -67,14 +67,19 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -102,3 +107,26 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index d4ae9b815..81d724353 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -73,8 +73,19 @@ reference = "https://attack.mitre.org/techniques/T1566/001/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index b182c3798..95aa2b45c 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -37,9 +37,6 @@ from existing intrusions. Other tools for detecting and mitigating can be found [repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", @@ -47,8 +44,16 @@ references = [ ] risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -83,3 +88,17 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 55f3ebb97..74bd46eb7 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Austin Songer"] @@ -23,18 +23,22 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", ] risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -63,3 +67,16 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index d82babd8e..fc18149c8 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,10 +17,6 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Worker Spawning Suspicious Processes" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", @@ -28,8 +24,16 @@ references = [ ] risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -54,3 +58,24 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index c3fe64e47..f2d6d2004 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -65,15 +65,20 @@ This rule looks for suspicious processes spawned by MS Office programs. This is - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -113,6 +118,11 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" @@ -125,3 +135,17 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 74eecceb3..425294262 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -64,14 +64,19 @@ This rule looks for suspicious processes spawned by MS Outlook, which can be the - Consider improvements to the security awareness program. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -107,3 +112,40 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 5480ac86f..51ea424cb 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,18 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Explorer Child Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,3 +72,44 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index fb5bcd72d..5f3769ce7 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -54,3 +54,21 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index cc750c16e..b21e1579f 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,3 +55,15 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index de21c911e..daae98184 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/", ] risk_score = 73 rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -60,6 +64,10 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 30457f6d7..d245bb01e 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/10" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or change of a Windows executable file over network shar other files between systems in a compromised environment. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Lateral Tool Transfer via SMB Share" @@ -71,7 +71,8 @@ sequence by host.id with maxspan=30s network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index c3a97f752..f102377f4 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -41,6 +45,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index d5b91b1fd..d610946c8 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/03" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/09" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -39,7 +39,7 @@ Identifies the execution of a file that was created by the virtual system proces via network file shares. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Remote Execution via File Shares" @@ -100,7 +100,8 @@ type = "eql" query = ''' sequence with maxspan=1m - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index d501b1180..4be4ea1b6 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -34,13 +34,16 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "*C:\\windows\\TEMP\\nessus_*.TMP*", - "*C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCM\\ccmrepair.exe", - "C:\\Windows\\CCMCache\\*", - "C:\\CCM\\Cache\\*") + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + not process.Ext.token.integrity_level_name : "system" and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not process.executable : + ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe", + "?:\\Windows\\CCM\\Ccm32BitLauncher.exe", + "?:\\Windows\\System32\\wbem\\mofcomp.exe", + "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe", + "?:\\Windows\\System32\\powercfg.exe") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and + not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") ] ''' @@ -48,6 +51,11 @@ sequence by host.id with maxspan = 2s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index a37040210..1baafe790 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 7cb9e6151..0797360cb 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -57,3 +57,20 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 0dc72a734..48f354d78 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -53,14 +53,19 @@ This rule detects modification of the fDenyTSConnections registry key to the val - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -96,3 +101,17 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 566d47df4..8bbbc5939 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,12 +17,16 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 07464fa4d..3699b0339 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -57,6 +61,10 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml similarity index 86% rename from rules/windows/initial_access_unusual_dns_service_children.toml rename to rules/windows/lateral_movement_unusual_dns_service_children.toml index 4318c3153..b8fdd20d2 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -60,9 +60,6 @@ This rule looks for unusual children of the `dns.exe` process, which can indicat - Review the privileges assigned to the user to ensure that the least privilege principle is being followed. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -72,8 +69,16 @@ references = [ ] risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -86,13 +91,13 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml similarity index 74% rename from rules/windows/initial_access_unusual_dns_service_file_writes.toml rename to rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index 6d3ec3940..6fecab4ef 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -24,9 +24,6 @@ Detection alerts from this rule indicate potential unusual/abnormal file writes - Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. - Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", @@ -35,8 +32,16 @@ references = [ ] risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -50,13 +55,13 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1133" -name = "External Remote Services" -reference = "https://attack.mitre.org/techniques/T1133/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 7f65fc181..1e426b444 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,13 +17,17 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -47,6 +51,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [rule.threat.tactic] id = "TA0008" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 84d4d80bf..222a1d54e 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -39,6 +39,20 @@ event.action:"Directory Service Changes" and event.code:5136 and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 828e74cc4..7838d792e 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -90,13 +90,18 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -121,6 +126,11 @@ id = "T1574.010" name = "Services File Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/010/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 63831c0c0..75bf2e6b4 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -56,3 +60,21 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.009" +name = "AppCert DLLs" +reference = "https://attack.mitre.org/techniques/T1546/009/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index 3ced40804..b6d0bff9b 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -107,14 +107,19 @@ This rule identifies modifications on the AppInit registry keys. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -151,3 +156,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 5040e8330..ce954695d 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -45,9 +45,6 @@ This rule uses registry events to identify the creation of local hidden accounts - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", @@ -55,6 +52,14 @@ references = [ ] risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 69d549c7f..29056cb51 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -62,3 +62,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 38c69281e..cebf81aa7 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/13" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -98,7 +98,7 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -143,3 +143,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 04cdb1a2e..dcca16a83 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 500eedba5..a03739238 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -57,3 +57,26 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 913adf420..04c7bc0fd 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -14,13 +14,17 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"] risk_score = 73 rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -45,6 +49,10 @@ id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.006" +name = "Add-ins" +reference = "https://attack.mitre.org/techniques/T1137/006/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 1d886778b..206add36a 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -15,16 +15,20 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", ] risk_score = 47 rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 97160392c..8923d0a01 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,7 +17,13 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "KRBTGT Delegation Backdoor" -note = """## Setup +references = [ + "https://skyblue.team/posts/delegate-krbtgt", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", +] +risk_score = 73 +rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82" +setup = """ The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -33,12 +39,6 @@ Account Management > Audit User Account Management (Success,Failure) ``` """ -references = [ - "https://skyblue.team/posts/delegate-krbtgt", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md", -] -risk_score = 73 -rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index fb9abc810..e6a1023d6 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,18 +18,22 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps", ] risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -57,3 +61,21 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index cd0b863d9..70e0c45d6 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -56,3 +56,21 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.013" +name = "PowerShell Profile" +reference = "https://attack.mitre.org/techniques/T1546/013/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index db097fd73..be77c8801 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -99,13 +99,18 @@ This rule looks for the execution of supposed accessibility binaries that don't - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"] risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 38f591fcb..9d20a013b 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"] type = "eql" query = ''' @@ -63,3 +63,16 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index c4c678d43..d90dffa95 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -58,7 +58,14 @@ This rule matches changes of the dsHeuristics object where the 16th bit is set t - The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", + "https://petri.com/active-directory-security-understanding-adminsdholder-object", +] +risk_score = 73 +rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" +setup=""" The 'Audit Directory Service Changes' logging policy must be configured for (Success). Steps to implement the logging policy with Advanced Audit Configuration: @@ -74,14 +81,12 @@ DS Access > Audit Directory Service Changes (Success) ``` -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ -references = [ - "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", - "https://petri.com/active-directory-security-understanding-adminsdholder-object", -] -risk_score = 73 -rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" severity = "high" tags = [ "Domain: Endpoint", @@ -107,6 +112,21 @@ any where event.action == "Directory Service Changes" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index b804a3f1d..a8fc49975 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -136,3 +136,39 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 944b61097..d8ea0fead 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,3 +68,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 7c0ea75e9..e9155f188 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -99,13 +99,18 @@ This rule monitors for commonly abused processes writing to the Startup folder l - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 6f17aeffa..49de81629 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/13" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -102,7 +102,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -141,3 +141,20 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 1ba5001ae..930c62158 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -99,12 +99,17 @@ This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs s - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 7c674e40b..4a064c0a3 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -59,17 +59,22 @@ Adversaries can insert malicious code that can be executed in place of legitimat - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", ] risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation","Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -136,3 +141,35 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 2fc8a1533..be70bc487 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,18 +19,22 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Image Load (taskschd.dll) from MS Office" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", ] risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -49,9 +53,32 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 254b888a7..2d576ba34 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -15,14 +15,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -86,3 +90,20 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 3974595f2..6e3985eeb 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -52,3 +52,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index 161a2ff8a..5605c425a 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,9 +2,9 @@ creation_date = "2023/02/02" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/08" +min_stack_comments = "Related integrations field type changes in 8.8.0" +min_stack_version = "8.8.0" +updated_date = "2023/10/03" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2efaab779..c348ba669 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -113,3 +113,25 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 518de3a8f..233359c3c 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] type = "eql" query = ''' @@ -48,3 +48,22 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index d49142aa7..80c4a7584 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,3 +55,21 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.003" +name = "Time Providers" +reference = "https://attack.mitre.org/techniques/T1547/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index dd4dc6de4..31bb0ed4c 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic", "Skoetting"] @@ -47,15 +47,20 @@ This rule monitors events related to a user being added to a privileged group. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory", ] risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index fa0be4e1a..17543b815 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -50,12 +50,17 @@ This rule identifies the usage of `net.exe` to create new accounts. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index ca066c009..911c7a349 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index ac30e82fe..ae13526f9 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,10 +18,6 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", @@ -30,6 +26,14 @@ references = [ ] risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index b446c1dcc..e6f3e68bc 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf", ] risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -68,3 +72,30 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 298e218f7..5210976fa 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Installation of Security Support Provider" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -58,3 +62,17 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index d52f34326..d08d13ab7 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,17 +17,21 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence", ] risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,9 +59,37 @@ name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4be06e372..e3fb55d7f 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -95,15 +95,20 @@ This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -146,3 +151,21 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 6421c8075..5a7c0cca4 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,15 +18,19 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -56,3 +60,16 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index bf7945e96..20e0543a4 100644 --- a/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -50,13 +50,18 @@ The xp_cmdshell procedure is disabled by default, but when used, it has the same - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"] risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -97,11 +102,17 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index f4b4e59f2..e854f5145 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -63,9 +63,6 @@ This rule detects a web server process spawning script and command-line interfac - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", @@ -74,8 +71,16 @@ references = [ ] risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -116,3 +121,35 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index d977ea681..d7e296770 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,16 +17,19 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Process Creation via Secondary Logon" -note = """## Setup - -Audit events 4624 and 4688 are needed to trigger this rule. - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. - -""" references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 47 rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" +setup = """ + +Audit events 4624 and 4688 are needed to trigger this rule. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "eql" diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index ce02a86d7..12815587f 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -19,7 +19,14 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Modification of the msPKIAccountCredentials" -note = """## Setup +references = [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", +] +risk_score = 47 +rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313" +setup = """ The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -34,21 +41,7 @@ Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ``` - -The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. -As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise. - -``` -Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success -``` """ -references = [ - "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", - "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136", -] -risk_score = 47 -rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 0c2443a2f..b41831b47 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -66,9 +66,6 @@ Attackers may disable UAC to execute code directly in high integrity. This rule - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.greyhathacker.net/?p=796", @@ -77,6 +74,14 @@ references = [ ] risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -125,6 +130,20 @@ id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [rule.threat.tactic] @@ -132,3 +151,4 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml similarity index 94% rename from rules/windows/persistence_driver_newterm_imphash.toml rename to rules/windows/privilege_escalation_driver_newterm_imphash.toml index e054c70ba..2790a783b 100644 --- a/rules/windows/persistence_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" integration = ["endpoint"] -updated_date = "2023/06/22" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -97,7 +97,7 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "new_terms" @@ -105,6 +105,19 @@ query = ''' event.category:"driver" and host.os.type:windows and event.action:"load" ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml similarity index 71% rename from rules_building_block/privilege_escalation_expired_driver_loaded.toml rename to rules/windows/privilege_escalation_expired_driver_loaded.toml index 43dbc5668..72245f0e4 100644 --- a/rules_building_block/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/26" -bypass_bbr_timing = true +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -24,10 +23,9 @@ references = [ risk_score = 21 rule_id = "d12bac54-ab2a-4159-933f-d7bcefa7b61d" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' driver where host.os.type == "windows" and process.pid == 4 and @@ -46,3 +44,22 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml similarity index 64% rename from rules/windows/persistence_gpo_schtask_service_creation.toml rename to rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 43f70f536..d75d04dc7 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,14 +18,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -37,6 +41,24 @@ file where host.os.type == "windows" and event.type != "deletion" and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1484" +name = "Domain Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" +[[rule.threat.technique.subtechnique]] +id = "T1484.001" +name = "Group Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/001/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 609d3a652..03e63828a 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -47,7 +47,15 @@ Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily lar - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", +] +risk_score = 47 +rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" +setup=""" The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: @@ -77,13 +85,6 @@ DS Access > Audit Directory Service Changes (Success,Failure) ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", - "https://labs.f-secure.com/tools/sharpgpoabuse", -] -risk_score = 47 -rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" severity = "medium" tags = [ "Domain: Endpoint", diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 8ba7f049c..c0151d2cf 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -44,7 +44,14 @@ Group Policy Objects (GPOs) can be used to add rights and/or modify Group Member - Remove the script from the GPO. - Check if other GPOs have suspicious scripts attached. -## Setup +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", +] +risk_score = 73 +rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" +setup=""" The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: @@ -60,12 +67,6 @@ DS Access > Audit Directory Service Changes (Success,Failure) ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://labs.f-secure.com/tools/sharpgpoabuse", -] -risk_score = 73 -rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 65122c94e..b533356e4 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -47,7 +47,17 @@ Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml", +] +risk_score = 47 +rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" +setup=""" The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: @@ -77,21 +87,13 @@ DS Access > Audit Directory Service Changes (Success,Failure) ``` """ -references = [ - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", - "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", - "https://labs.f-secure.com/tools/sharpgpoabuse", - "https://twitter.com/menasec1/status/1106899890377052160", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml", -] -risk_score = 47 -rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring" @@ -136,3 +138,16 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index a19faf24b..aedadd0d9 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/11/25" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) defaul allows an unprivileged user to escalate privileges to SYSTEM. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via InstallerFileTakeOver" @@ -98,30 +98,40 @@ This rule detects the default execution of the PoC, which overwrites the `elevat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' -/* This rule is compatible with both Sysmon and Elastic Endpoint */ - process where host.os.type == "windows" and event.type == "start" and - (?process.Ext.token.integrity_level_name : "System" or - ?winlog.event_data.IntegrityLevel : "System") and + process.Ext.token.integrity_level_name : "System" and ( (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or + + (process.name : "elevation_service.exe" and + not process.code_signature.trusted == true) or (process.parent.name : "elevation_service.exe" and process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + ) and + not + ( + process.name : "elevation_service.exe" and process.code_signature.trusted == true and + process.pe.original_file_name == null ) ''' diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index f9c96d7cc..a47a4d24b 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [transform] [[transform.osquery]] @@ -93,9 +93,6 @@ Attackers can abuse named pipes to elevate their privileges by impersonating the - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", @@ -104,6 +101,14 @@ references = [ ] risk_score = 73 rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 8584c18b3..15d3550ba 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -58,9 +58,6 @@ Attackers can execute malicious code by abusing missing modules that processes t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", @@ -72,6 +69,14 @@ references = [ ] risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = [ "Domain: Endpoint", @@ -79,6 +84,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend" @@ -147,3 +153,20 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 3eec687db..34eefb678 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -49,6 +49,10 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" +[[rule.threat.technique.subtechnique]] +id = "T1547.012" +name = "Print Processors" +reference = "https://attack.mitre.org/techniques/T1547/012/" @@ -66,6 +70,10 @@ reference = "https://attack.mitre.org/techniques/T1547/" id = "T1547.010" name = "Port Monitors" reference = "https://attack.mitre.org/techniques/T1547/010/" +[[rule.threat.technique.subtechnique]] +id = "T1547.012" +name = "Print Processors" +reference = "https://attack.mitre.org/techniques/T1547/012/" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index e86397efb..38f85845e 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,7 +18,15 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Token Impersonation Capabilities" -note = """## Setup +references = [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 47 +rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" +setup = """ The 'PowerShell Script Block Logging' logging policy must be configured (Enable). @@ -37,14 +45,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://github.com/decoder-it/psgetsystem", - "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", - "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", -] -risk_score = 47 -rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" @@ -73,10 +73,12 @@ event.category:process and host.os.type:windows and "CreatePRocessAsUserW" or "CreateProcessAsUserA") ) - ) and not - (user.id:("S-1-5-18" or "S-1-5-19") and - file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") - and not powershell.file.script_block_text : ( + ) and + not ( + user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" + ) and + not powershell.file.script_block_text : ( "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" ) ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 58cf0f454..04916a7f4 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,16 +18,20 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files", ] risk_score = 73 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 8421af4c2..16532fc2b 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -23,13 +23,17 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler File Deletion" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 0902763f8..3a885ecf6 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -96,13 +96,18 @@ The Print Spooler service has some known vulnerabilities that attackers can abus - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] risk_score = 73 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index d0c82fae2..dc66b880f 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,10 +18,6 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Privileged Escalation via SamAccountName Spoofing" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", @@ -31,6 +27,13 @@ references = [ ] risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" +setup = """ +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" @@ -45,6 +48,12 @@ iam where event.action == "renamed-user-account" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 401d9f403..f4c96fc02 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/10/13" [transform] [[transform.osquery]] @@ -80,7 +80,7 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -112,3 +112,59 @@ reference = "https://attack.mitre.org/techniques/T1543/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index a1be5270e..520a097c6 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,7 +17,13 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "SeDebugPrivilege Enabled by a Suspicious Process" -note = """## Setup +references = [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", +] +risk_score = 47 +rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd" +setup = """ Windows Event 4703 logs Token Privileges changes and need to be configured (Enable). @@ -34,12 +40,6 @@ Detailed Tracking > Token Right Adjusted Events (Success) ``` """ -references = [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", - "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e", -] -risk_score = 47 -rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index c96350245..0e02fe253 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,19 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,3 +59,39 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 1461ff449..59cf5a1d6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,15 +17,19 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"] risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -57,3 +61,38 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 30d80950e..aff8e1426 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -54,3 +58,39 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8905231cf..24ea538f1 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,18 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -55,3 +59,39 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 62990a8da..011e7e4a8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,18 +17,22 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = [ "https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies", ] risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -59,3 +63,30 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.002" +name = "DLL Side-Loading" +reference = "https://attack.mitre.org/techniques/T1574/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index a2bd79e87..555a7b93b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -97,14 +97,19 @@ During startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\ - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 73 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -137,3 +142,21 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 373f0afff..86f284981 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -96,15 +96,20 @@ This rule identifies an attempt to bypass User Account Control (UAC) by masquera - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"] risk_score = 73 rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -132,3 +137,30 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 1e27cd45f..7e37e68ae 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -96,15 +96,20 @@ This rule identifies attempts to bypass User Account Control (UAC) by hijacking - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" @@ -135,3 +140,30 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index 98ad29923..afae84230 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2023/06/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Bypass UAC via Sdclt" risk_score = 73 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' @@ -58,3 +58,21 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index f5f5a673b..b5bf495b3 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/10/23" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -93,9 +93,6 @@ This rule uses this information to spot suspicious parent and child processes. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", @@ -103,6 +100,14 @@ references = [ ] risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" +setup=""" + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index d8958776a..6f900b52f 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -23,13 +23,17 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"] risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 35b082e58..7097416d9 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,12 +18,16 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" -note = """## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" @@ -76,6 +80,10 @@ framework = "MITRE ATT&CK" id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 94a7268c4..a06bc25ca 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -17,14 +17,6 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Rogue Named Pipe Impersonation" -note = """## Setup - -Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: -`condition equal "contains" and keyword equal "pipe"` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. - -""" references = [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", @@ -32,6 +24,17 @@ references = [ ] risk_score = 73 rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241" +setup = """ + +Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: +`condition equal "contains" and keyword equal "pipe"` + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html +""" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 9733b19b6..724ce976f 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/23" [rule] author = ["Elastic"] @@ -18,7 +18,14 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Windows Service Installed via an Unusual Client" -note = """## Setup +references = [ + "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", +] +risk_score = 73 +rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" +setup = """ The 'Audit Security System Extension' logging policy must be configured for (Success) Steps to implement the logging policy with with Advanced Audit Configuration: @@ -34,13 +41,6 @@ System > Audit Security System Extension (Success) ``` """ -references = [ - "https://www.x86matthew.com/view_post?id=create_svc_rpc", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", - "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", -] -risk_score = 73 -rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml new file mode 100644 index 000000000..c3482ff67 --- /dev/null +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -0,0 +1,139 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = "endpoint" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/11" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to +evade detection or to staging data for exfiltration. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +max_signals = 1000 +name = "File Compressed or Archived into Common Format" +references = ["https://en.wikipedia.org/wiki/List_of_file_signatures"] +risk_score = 21 +rule_id = "79124edf-30a8-4d48-95c4-11522cad94b1" +severity = "low" +tags = [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Tactic: Collection", + "Rule Type: BBR", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.type in ("creation", "change") and + file.Ext.header_bytes : ( + /* compression formats */ + "1F9D*", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */ + "1FA0*", /* tar zip, tar.z (LZH algorithm) */ + "425A68*", /* Bzip2 */ + "524E4301*", /* Rob Northen Compression */ + "524E4302*", /* Rob Northen Compression */ + "4C5A4950*", /* LZIP */ + "504B0*", /* ZIP */ + "526172211A07*", /* RAR compressed */ + "44434D0150413330*", /* Windows Update Binary Delta Compression file */ + "50413330*", /* Windows Update Binary Delta Compression file */ + "377ABCAF271C*", /* 7-Zip */ + "1F8B*", /* GZIP */ + "FD377A585A00*", /* XZ, tar.xz */ + "7801*", /* zlib: No Compression (no preset dictionary) */ + "785E*", /* zlib: Best speed (no preset dictionary) */ + "789C*", /* zlib: Default Compression (no preset dictionary) */ + "78DA*", /* zlib: Best Compression (no preset dictionary) */ + "7820*", /* zlib: No Compression (with preset dictionary) */ + "787D*", /* zlib: Best speed (with preset dictionary) */ + "78BB*", /* zlib: Default Compression (with preset dictionary) */ + "78F9*", /* zlib: Best Compression (with preset dictionary) */ + "62767832*", /* LZFSE */ + "28B52FFD*", /* Zstandard, zst */ + "5253564B44415441*", /* QuickZip rs compressed archive */ + "2A2A4143452A2A*", /* ACE */ + + /* archive formats */ + "2D686C302D*", /* lzh */ + "2D686C352D*", /* lzh */ + "303730373037*", /* cpio */ + "78617221*", /* xar */ + "4F4152*", /* oar */ + "49536328*" /* cab archive */ + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + + [[rule.threat.technique]] + id = "T1560" + name = "Archive Collected Data" + reference = "https://attack.mitre.org/techniques/T1560/" + + [[rule.threat.technique.subtechnique]] + id = "T1560.001" + name = "Archive via Utility" + reference = "https://attack.mitre.org/techniques/T1560/001/" + + [[rule.threat.technique]] + id = "T1074" + name = "Data Staged" + reference = "https://attack.mitre.org/techniques/T1074/" + + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + + [[rule.threat.technique]] + id = "T1132" + name = "Data Encoding" + reference = "https://attack.mitre.org/techniques/T1132/" + + [[rule.threat.technique.subtechnique]] + id = "T1132.001" + name = "Standard Encoding" + reference = "https://attack.mitre.org/techniques/T1132/001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + id = "T1027" + name = "Obfuscated Files or Information" + reference = "https://attack.mitre.org/techniques/T1027/" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index ebecc4599..8a810b550 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] + id = "T1074.001" + name = "Local Data Staging" + reference = "https://attack.mitre.org/techniques/T1074/001/" + [rule.threat.tactic] id = "TA0009" diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 1982b9c30..5934fb60f 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/18" +updated_date = "2023/10/13" [rule] @@ -19,8 +19,9 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Archive Compression Capabilities" -note = """## Setup - +risk_score = 21 +rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -37,8 +38,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -risk_score = 21 -rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" @@ -63,7 +62,13 @@ event.category:process and host.os.type:windows and "ZipArchiveMode" ) or powershell.file.script_block_text : "Compress-Archive" -) and not file.path : *ProgramData*Microsoft*Windows*Defender*Advanced*Threat*Protection*DataCollection* +) and + not file.path : ( + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* or + ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\DataCollection\\\\* or + ?\:\\\\Program?Files\\\\Microsoft?Dependency?Agent\\\\plugins\\\\* or + ?\:\\\\Program?Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1 + ) ''' diff --git a/rules_building_block/collection_posh_webcam_video_capture.toml b/rules_building_block/collection_posh_webcam_video_capture.toml index 3ff35af6e..14e286f5e 100644 --- a/rules_building_block/collection_posh_webcam_video_capture.toml +++ b/rules_building_block/collection_posh_webcam_video_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/18" +updated_date = "2023/10/19" bypass_bbr_timing = true [rule] @@ -18,8 +18,10 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Webcam Video Capture Capabilities" -note = """## Setup - +references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] +risk_score = 21 +rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -36,9 +38,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"] -risk_score = 21 -rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml similarity index 88% rename from rules/windows/command_and_control_certutil_network_connection.toml rename to rules_building_block/command_and_control_certutil_network_connection.toml index 6645af86b..35d06368a 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -4,7 +4,8 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/16" +bypass_bbr_timing = true [transform] [[transform.osquery]] @@ -34,6 +35,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. @@ -102,18 +104,17 @@ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" type = "eql" query = ''' -sequence by process.entity_id - [process where host.os.type == "windows" and process.name : "certutil.exe" and event.type == "start"] - [network where host.os.type == "windows" and process.name : "certutil.exe" and - not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", - "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", - "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", - "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", - "FE80::/10", "FF00::/8")] +network where host.os.type == "windows" and process.name : "certutil.exe" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") ''' diff --git a/rules_building_block/credential_access_kirbi_file.toml b/rules_building_block/credential_access_kirbi_file.toml index f8dbf8449..38e0ade1d 100644 --- a/rules_building_block/credential_access_kirbi_file.toml +++ b/rules_building_block/credential_access_kirbi_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -50,21 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1558/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.001" -name = "PowerShell" -reference = "https://attack.mitre.org/techniques/T1059/001/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/credential_access_mdmp_file_creation.toml b/rules_building_block/credential_access_mdmp_file_creation.toml new file mode 100644 index 000000000..fd56e0601 --- /dev/null +++ b/rules_building_block/credential_access_mdmp_file_creation.toml @@ -0,0 +1,88 @@ +[metadata] +creation_date = "2023/09/21" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access +credentials from a process memory. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Credential Access via Memory Dump File Creation" +risk_score = 21 +rule_id = "e707a7be-cc52-41ac-8ab3-d34b38c20005" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and + + /* MDMP header */ + file.Ext.header_bytes : "4d444d50*" and file.size >= 30000 and + not + + ( + ( + process.executable : ( + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\Wermgr.exe", + "?:\\Windows\\SysWOW64\\Wermgr.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WUDFHost.exe", + "?:\\Windows\\System32\\Taskmgr.exe", + "?:\\Windows\\SysWOW64\\Taskmgr.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\SystemApps\\*.exe", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe" + ) and process.code_signature.trusted == true + ) or + ( + file.path : ( + "?:\\ProgramData\\Microsoft\\Windows\\WER\\*", + "?:\\ProgramData\\Microsoft\\WDF\\*", + "?:\\ProgramData\\Alteryx\\ErrorLogs\\*", + "?:\\ProgramData\\Goodix\\*", + "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\*", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\logs\\zoomcrash*", + "?:\\Users\\*\\AppData\\*\\Crashpad\\*", + "?:\\Users\\*\\AppData\\*\\crashpaddb\\*", + "?:\\Users\\*\\AppData\\*\\HungReports\\*", + "?:\\Users\\*\\AppData\\*\\CrashDumps\\*", + "?:\\Users\\*\\AppData\\*\\NativeCrashReporting\\*" + ) and (process.code_signature.trusted == true or process.executable == null) + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules_building_block/credential_access_mdmp_file_unusual_extension.toml b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml new file mode 100644 index 000000000..e142da657 --- /dev/null +++ b/rules_building_block/credential_access_mdmp_file_unusual_extension.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2023/09/21" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a +memory dump as another file type to bypass security defenses. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Memory Dump File with Unusual Extension" +risk_score = 21 +rule_id = "c0b9dc99-c696-4779-b086-0d37dc2b3778" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and + + /* MDMP header */ + file.Ext.header_bytes : "4d444d50*" and + not file.extension : ("dmp", "mdmp", "hdmp", "edmp", "full", "tdref", "cg", "tmp", "dat") and + not + ( + process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and + process.code_signature.trusted == true and length(file.extension) == 0 + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index d7f1350a8..fa20d4a8d 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Binary Content Copy via Cmd.exe" risk_score = 21 rule_id = "53dedd83-1be7-430f-8026-363256395c8b" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" @@ -46,3 +46,21 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml new file mode 100644 index 000000000..23ab605f3 --- /dev/null +++ b/rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by +masquerading files using the file extension values used by image, audio, or document file types. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Archive File with Unusual Extension" +risk_score = 21 +rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.action != "deletion" and + + /* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */ + file.Ext.header_bytes : ("52617221*", "377ABCAF271C*", "1F8B*", "4d534346*", "FD377A585A00*", "504B0304*", "504B0708*") and + + ( + /* common image file extensions */ + file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "ico", "fpx", "eps", "inf") or + + /* common audio and video file extensions */ + file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or + + /* common document file extensions */ + (file.extension : ("doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx") and + + /* exclude ZIP file header values for OPENXML documents */ + not file.Ext.header_bytes : ("504B0304*", "504B0708*")) + ) and + + not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index bc2845463..5d4f85d2a 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/04" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -21,7 +21,7 @@ name = "Suspicious Communication App Child Process" risk_score = 21 rule_id = "adbfa3ee-777e-4747-b6b0-7bd645f30880" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -220,6 +220,16 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" @@ -229,3 +239,16 @@ reference = "https://attack.mitre.org/techniques/T1055/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_disable_nla.toml b/rules_building_block/defense_evasion_disable_nla.toml index 2ac70df49..c70eaeb8a 100644 --- a/rules_building_block/defense_evasion_disable_nla.toml +++ b/rules_building_block/defense_evasion_disable_nla.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/25" +updated_date = "2023/10/09" bypass_bbr_timing = true [rule] @@ -47,8 +47,14 @@ id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index f7910eb50..5958bbf6b 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,9 +2,9 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2023/10/13" [rule] author = ["Elastic"] diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml new file mode 100644 index 000000000..11d2c4033 --- /dev/null +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of +ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Execution via Microsoft DotNet ClickOnce Host" +risk_score = 21 +rule_id = "5297b7f1-bccd-4611-93fa-ea342a01ff84" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence by user.id with maxspan=5s + [process where host.os.type == "windows" and event.action == "start" and + process.name : "rundll32.exe" and process.command_line : ("*dfshim*ShOpenVerbApplication*", "*dfshim*#*")] + [network where host.os.type == "windows" and process.name : "dfsvc.exe"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + [[rule.threat.technique.subtechnique]] + id = "T1218.011" + name = "Rundll32" + reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml new file mode 100644 index 000000000..743aed552 --- /dev/null +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2023/09/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. +""" +references = [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "File with Suspicious Extension Downloaded" +risk_score = 21 +rule_id = "8d366588-cbd6-43ba-95b4-0971c3f906e5" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and + file.extension : ( + "appinstaller", "application", "appx", "appxbundle", "cpl", "diagcab", "diagpkg", "diagcfg", "manifest", + "msix", "pif", "search-ms", "searchConnector-ms", "settingcontent-ms", "symlink", "theme", "themepack" + ) and file.Ext.windows.zone_identifier > 1 and + not + ( + file.extension : "msix" and file.path : "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml new file mode 100644 index 000000000..6805bb71a --- /dev/null +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -0,0 +1,96 @@ +[metadata] +creation_date = "2023/09/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a +trusted visual studio project to execute a malicious command during the project build process. +""" +references = [ + "https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Execution via MS VisualStudio Pre/Post Build Events" +risk_score = 21 +rule_id = "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and + process.name : "cmd.exe" and process.parent.name : "MSBuild.exe" and + process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\tmp*.exec.cmd"] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.name : ( + "cmd.exe", "powershell.exe", + "MSHTA.EXE", "CertUtil.exe", + "CertReq.exe", "rundll32.exe", + "regsvr32.exe", "MSbuild.exe", + "cscript.exe", "wscript.exe", + "installutil.exe" + ) and + not + ( + process.name : ("cmd.exe", "powershell.exe") and + process.args : ( + "*\\vcpkg\\scripts\\buildsystems\\msbuild\\applocal.ps1", + "HKLM\\SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS?", + "process.versions.node*", + "?:\\Program Files\\nodejs\\node.exe", + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\*", + "*Get-ChildItem*Tipasplus.css*", + "Build\\GenerateResourceScripts.ps1", + "Shared\\Common\\..\\..\\BuildTools\\ConfigBuilder.ps1\"", + "?:\\Projets\\*\\PostBuild\\MediaCache.ps1" + ) + ) and + not process.executable : "?:\\Program Files*\\Microsoft Visual Studio\\*\\MSBuild.exe" and + not (process.name : "cmd.exe" and + process.command_line : + ("*vswhere.exe -property catalog_productSemanticVersion*", + "*git log --pretty=format*", "*\\.nuget\\packages\\vswhere\\*", + "*Common\\..\\..\\BuildTools\\*")) + ] by process.parent.entity_id +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_injection_from_msoffice.toml b/rules_building_block/defense_evasion_injection_from_msoffice.toml new file mode 100644 index 000000000..75c4d039f --- /dev/null +++ b/rules_building_block/defense_evasion_injection_from_msoffice.toml @@ -0,0 +1,85 @@ +[metadata] +creation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" + +[rule] +author = ["Elastic"] +description = """ +Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual +process arguments and path. This behavior is often observed during exploitation of Office applications or from documents +with malicious macros. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Process Injection from Malicious Document" +risk_score = 21 +rule_id = "1c5a04ae-d034-41bf-b0d8-96439b5cc774" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.action == "start" and + process.parent.name : ("excel.exe", "powerpnt.exe", "winword.exe") and + process.args_count == 1 and + process.executable : ( + "?:\\Windows\\SysWOW64\\*.exe", "?:\\Windows\\system32\\*.exe" + ) and + not (process.executable : "?:\\Windows\\System32\\spool\\drivers\\x64\\*" and + process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and + not process.executable : ( + "?:\\Windows\\Sys*\\Taskmgr.exe", + "?:\\Windows\\Sys*\\ctfmon.exe", + "?:\\Windows\\System32\\notepad.exe") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/defense_evasion_invalid_codesign_imageload.toml b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml new file mode 100644 index 000000000..b80aa386a --- /dev/null +++ b/rules_building_block/defense_evasion_invalid_codesign_imageload.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2023/09/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a +signed binary. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Image Loaded with Invalid Signature" +risk_score = 21 +rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +library where host.os.type == "windows" and event.action == "load" and + dll.code_signature.status : ("errorUntrustedRoot", "errorBadDigest", "errorUntrustedRoot") and + (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and + not startswith~(dll.name, process.name) and + not dll.path : ( + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 3d8ea3259..86d610a64 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/02" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -22,7 +22,7 @@ name = "Potential Masquerading as Browser Process" risk_score = 21 rule_id = "5b9eb30f-87d6-45f4-9289-2bf2024f0376" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -40,10 +40,26 @@ process where host.os.type == "windows" and event.type == "start" and (process.code_signature.subject_name : ("Google LLC", "Google Inc") and process.code_signature.trusted == true) and not ( - process.executable : "?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe" and + process.executable : ( + "?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe", + "?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe" + ) and process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true - ) - and not process.hash.sha256 : "6538d54a236349f880d6793d219f558764629efc85d4d08b56b94717c01fb25a" + ) and + not ( + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe", + "*\\node_modules\\puppeteer\\.local-chromium\\win64-*\\chrome-win\\chrome.exe", + "?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe", + "?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe", + "?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe" + ) and process.args: ( + "--enable-features=NetworkService,NetworkServiceInProcess", + "--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor" + ) + ) ) or /* MS Edge Related Processes */ @@ -54,6 +70,11 @@ process where host.os.type == "windows" and event.type == "start" and "MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe" ) and not (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + and not + ( + process.name : "msedgewebview2.exe" and + process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true + ) ) or /* Brave Related Processes */ @@ -69,9 +90,14 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ( "firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe", "plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe", - "minidump-analyzer.exe", "crashreporter.exe" + "minidump-analyzer.exe" ) and not (process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) + and not + ( + process.name : "default-browser-agent.exe" and + process.code_signature.subject_name : ("WATERFOX LIMITED") and process.code_signature.trusted == true + ) ) or /* Island Related Processes */ @@ -108,7 +134,9 @@ process where host.os.type == "windows" and event.type == "start" and "Google LLC", "Google Inc", "Microsoft Corporation", - "NAVER Corp." + "NAVER Corp.", + "AVG Technologies USA, LLC", + "Avast Software s.r.o." ) and process.code_signature.trusted == true ) ) @@ -123,9 +151,31 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_business_apps_installer.toml b/rules_building_block/defense_evasion_masquerading_business_apps_installer.toml index 4670f9e3a..212f64ad0 100644 --- a/rules_building_block/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules_building_block/defense_evasion_masquerading_business_apps_installer.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/01" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "feafdc51-c575-4ed2-89dd-8e20badc2d6c" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution", "Rule Type: BBR"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -168,6 +168,16 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" @@ -186,3 +196,22 @@ reference = "https://attack.mitre.org/techniques/T1189/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml new file mode 100644 index 000000000..34c52ba7c --- /dev/null +++ b/rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt +to evade detection by masquerading files using the file extension values used by image, audio, or document file types. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Executable File with Unusual Extension" +risk_score = 21 +rule_id = "ecd4857b-5bac-455e-a7c9-a88b66e56a9e" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.action != "deletion" and + + /* MZ header or its common base64 equivalent TVqQ */ + file.Ext.header_bytes : ("4d5a*", "54567151*") and + + ( + /* common image file extensions */ + file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "fpx", "eps", "svg", "inf") or + + /* common audio and video file extensions */ + file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or + + /* common document file extensions */ + file.extension : ("txt", "pdf", "doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx", "hwp", "html") + ) and + not process.pid == 4 and + not process.executable : "?:\\Program Files (x86)\\Trend Micro\\Client Server Security Agent\\Ntrtscan.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 7901bbafb..8205d9879 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/09" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -22,7 +22,7 @@ name = "Potential Masquerading as VLC DLL" risk_score = 21 rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -44,9 +44,32 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index fa38a07f8..ca2816fd1 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/21" +min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." +min_stack_version = "8.4.0" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -22,13 +22,13 @@ name = "Potential Masquerading as System32 DLL" risk_score = 21 rule_id = "fb01d790-9f74-4e76-97dd-b4b0f7bf6435" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" query = ''' -library where event.action == "load" and +library where event.action == "load" and dll.Ext.relative_file_creation_time <= 3600 and not ( dll.path : ( "?:\\Windows\\System32\\*", @@ -36,6 +36,8 @@ library where event.action == "load" and "?:\\Windows\\SystemTemp\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\*", + "?:\\$WINDOWS.~BT\\Sources\\*", + "?:\\$WINDOWS.~BT\\Work\\*", "?:\\Windows\\WinSxS\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*", "?:\\Windows\\assembly\\NativeImages_v*" @@ -55,8 +57,29 @@ library where event.action == "load" and "aadauthhelper.dll", "aadcloudap.dll", "aadjcsp.dll", "aadtb.dll", "aadwamextension.dll", "aarsvc.dll", "abovelockapphost.dll", "accessibilitycpl.dll", "accountaccessor.dll", "accountsrt.dll", "acgenral.dll", "aclayers.dll", "acledit.dll", "aclui.dll", "acmigration.dll", "acppage.dll", "acproxy.dll", "acspecfc.dll", "actioncenter.dll", "actioncentercpl.dll", "actionqueue.dll", "activationclient.dll", "activeds.dll", "activesynccsp.dll", "actxprxy.dll", "acwinrt.dll", "acxtrnal.dll", "adaptivecards.dll", "addressparser.dll", "adhapi.dll", "adhsvc.dll", "admtmpl.dll", "adprovider.dll", "adrclient.dll", "adsldp.dll", "adsldpc.dll", "adsmsext.dll", "adsnt.dll", "adtschema.dll", "advancedemojids.dll", "advapi32.dll", "advapi32res.dll", "advpack.dll", "aeevts.dll", "aeinv.dll", "aepic.dll", "ajrouter.dll", "altspace.dll", "amsi.dll", "amsiproxy.dll", "amstream.dll", "apds.dll", "aphostclient.dll", "aphostres.dll", "aphostservice.dll", "apisampling.dll", "apisetschema.dll", "apmon.dll", "apmonui.dll", "appcontracts.dll", "appextension.dll", "apphelp.dll", "apphlpdm.dll", "appidapi.dll", "appidsvc.dll", "appinfo.dll", "appinfoext.dll", "applicationframe.dll", "applockercsp.dll", "appmgmts.dll", "appmgr.dll", "appmon.dll", "appointmentapis.dll", "appraiser.dll", "appreadiness.dll", "apprepapi.dll", "appresolver.dll", "appsruprov.dll", "appvcatalog.dll", "appvclientps.dll", "appvetwclientres.dll", "appvintegration.dll", "appvmanifest.dll", "appvpolicy.dll", "appvpublishing.dll", "appvreporting.dll", "appvscripting.dll", "appvsentinel.dll", "appvstreamingux.dll", "appvstreammap.dll", "appvterminator.dll", "appxalluserstore.dll", "appxpackaging.dll", "appxsip.dll", "appxsysprep.dll", "archiveint.dll", "asferror.dll", "aspnet_counters.dll", "asycfilt.dll", "atl.dll", "atlthunk.dll", "atmlib.dll", "audioeng.dll", "audiohandlers.dll", "audiokse.dll", "audioses.dll", "audiosrv.dll", "auditcse.dll", "auditpolcore.dll", "auditpolmsg.dll", "authbroker.dll", "authbrokerui.dll", "authentication.dll", "authext.dll", "authfwcfg.dll", "authfwgp.dll", "authfwsnapin.dll", "authfwwizfwk.dll", "authhostproxy.dll", "authui.dll", "authz.dll", "autopilot.dll", "autopilotdiag.dll", "autoplay.dll", "autotimesvc.dll", "avicap32.dll", "avifil32.dll", "avrt.dll", "axinstsv.dll", "azroles.dll", "azroleui.dll", "azsqlext.dll", "basecsp.dll", "basesrv.dll", "batmeter.dll", "bcastdvrbroker.dll", "bcastdvrclient.dll", "bcastdvrcommon.dll", "bcd.dll", "bcdprov.dll", "bcdsrv.dll", "bcp47langs.dll", "bcp47mrm.dll", "bcrypt.dll", "bcryptprimitives.dll", "bdehdcfglib.dll", "bderepair.dll", "bdesvc.dll", "bdesysprep.dll", "bdeui.dll", "bfe.dll", "bi.dll", "bidispl.dll", "bindfltapi.dll", "bingasds.dll", "bingfilterds.dll", "bingmaps.dll", "biocredprov.dll", "bisrv.dll", "bitlockercsp.dll", "bitsigd.dll", "bitsperf.dll", "bitsproxy.dll", "biwinrt.dll", "blbevents.dll", "blbres.dll", "blb_ps.dll", "bluetoothapis.dll", "bnmanager.dll", "bootmenuux.dll", "bootstr.dll", "bootux.dll", "bootvid.dll", "bridgeres.dll", "brokerlib.dll", "browcli.dll", "browserbroker.dll", "browseui.dll", "btagservice.dll", "bthavctpsvc.dll", "bthavrcp.dll", "bthavrcpappsvc.dll", "bthci.dll", "bthpanapi.dll", "bthradiomedia.dll", "bthserv.dll", "bthtelemetry.dll", "btpanui.dll", "bwcontexthandler.dll", "cabapi.dll", "cabinet.dll", "cabview.dll", "callbuttons.dll", "cameracaptureui.dll", "capauthz.dll", "capiprovider.dll", "capisp.dll", "captureservice.dll", "castingshellext.dll", "castlaunch.dll", "catsrv.dll", "catsrvps.dll", "catsrvut.dll", "cbdhsvc.dll", "cca.dll", "cdd.dll", "cdosys.dll", "cdp.dll", "cdprt.dll", "cdpsvc.dll", "cdpusersvc.dll", "cemapi.dll", "certca.dll", "certcli.dll", "certcredprovider.dll", "certenc.dll", "certenroll.dll", "certenrollui.dll", "certmgr.dll", "certpkicmdlet.dll", "certpoleng.dll", "certprop.dll", "cewmdm.dll", "cfgbkend.dll", "cfgmgr32.dll", "cfgspcellular.dll", "cfgsppolicy.dll", "cflapi.dll", "cfmifs.dll", "cfmifsproxy.dll", "chakra.dll", "chakradiag.dll", "chakrathunk.dll", "chartv.dll", "chatapis.dll", "chkwudrv.dll", "chsstrokeds.dll", "chtbopomofods.dll", "chtcangjieds.dll", "chthkstrokeds.dll", "chtquickds.dll", "chxapds.dll", "chxdecoder.dll", "chxhapds.dll", "chxinputrouter.dll", "chxranker.dll", "ci.dll", "cic.dll", "cimfs.dll", "circoinst.dll", "ciwmi.dll", "clb.dll", "clbcatq.dll", "cldapi.dll", "cleanpccsp.dll", "clfsw32.dll", "cliconfg.dll", "clipboardserver.dll", "clipc.dll", "clipsvc.dll", "clipwinrt.dll", "cloudap.dll", "cloudidsvc.dll", "clrhost.dll", "clusapi.dll", "cmcfg32.dll", "cmdext.dll", "cmdial32.dll", "cmgrcspps.dll", "cmifw.dll", "cmintegrator.dll", "cmlua.dll", "cmpbk32.dll", "cmstplua.dll", "cmutil.dll", "cngcredui.dll", "cngprovider.dll", "cnvfat.dll", "cofiredm.dll", "colbact.dll", "colorcnv.dll", "colorui.dll", "combase.dll", "comcat.dll", "comctl32.dll", "comdlg32.dll", "coml2.dll", "comppkgsup.dll", "compstui.dll", "computecore.dll", "computenetwork.dll", "computestorage.dll", "comrepl.dll", "comres.dll", "comsnap.dll", "comsvcs.dll", "comuid.dll", "configmanager2.dll", "conhostv1.dll", "connect.dll", "consentux.dll", "consentuxclient.dll", "console.dll", "consolelogon.dll", "contactapis.dll", "container.dll", "coredpus.dll", "coreglobconfig.dll", "coremas.dll", "coremessaging.dll", "coremmres.dll", "coreshell.dll", "coreshellapi.dll", "coreuicomponents.dll", "correngine.dll", "courtesyengine.dll", "cpfilters.dll", "creddialogbroker.dll", "credprovhelper.dll", "credprovhost.dll", "credprovs.dll", "credprovslegacy.dll", "credssp.dll", "credui.dll", "crypt32.dll", "cryptbase.dll", "cryptcatsvc.dll", "cryptdlg.dll", "cryptdll.dll", "cryptext.dll", "cryptnet.dll", "cryptngc.dll", "cryptowinrt.dll", "cryptsp.dll", "cryptsvc.dll", "crypttpmeksvc.dll", "cryptui.dll", "cryptuiwizard.dll", "cryptxml.dll", "cscapi.dll", "cscdll.dll", "cscmig.dll", "cscobj.dll", "cscsvc.dll", "cscui.dll", "csplte.dll", "cspproxy.dll", "csrsrv.dll", "cxcredprov.dll", "c_g18030.dll", "c_gsm7.dll", "c_is2022.dll", "c_iscii.dll", "d2d1.dll", "d3d10.dll", "d3d10core.dll", "d3d10level9.dll", "d3d10warp.dll", "d3d10_1.dll", "d3d10_1core.dll", "d3d11.dll", "d3d11on12.dll", "d3d12.dll", "d3d12core.dll", "d3d8thk.dll", "d3d9.dll", "d3d9on12.dll", "d3dscache.dll", "dab.dll", "dabapi.dll", "daconn.dll", "dafbth.dll", "dafdnssd.dll", "dafescl.dll", "dafgip.dll", "dafiot.dll", "dafipp.dll", "dafmcp.dll", "dafpos.dll", "dafprintprovider.dll", "dafupnp.dll", "dafwcn.dll", "dafwfdprovider.dll", "dafwiprov.dll", "dafwsd.dll", "damediamanager.dll", "damm.dll", "das.dll", "dataclen.dll", "datusage.dll", "davclnt.dll", "davhlpr.dll", "davsyncprovider.dll", "daxexec.dll", "dbgcore.dll", "dbgeng.dll", "dbghelp.dll", "dbgmodel.dll", "dbnetlib.dll", "dbnmpntw.dll", "dciman32.dll", "dcntel.dll", "dcomp.dll", "ddaclsys.dll", "ddcclaimsapi.dll", "ddds.dll", "ddisplay.dll", "ddoiproxy.dll", "ddores.dll", "ddpchunk.dll", "ddptrace.dll", "ddputils.dll", "ddp_ps.dll", "ddraw.dll", "ddrawex.dll", "defragproxy.dll", "defragres.dll", "defragsvc.dll", "deploymentcsps.dll", "deskadp.dll", "deskmon.dll", "desktopshellext.dll", "devenum.dll", "deviceaccess.dll", "devicecenter.dll", "devicecredential.dll", "devicepairing.dll", "deviceuxres.dll", "devinv.dll", "devmgr.dll", "devobj.dll", "devpropmgr.dll", "devquerybroker.dll", "devrtl.dll", "dfdts.dll", "dfscli.dll", "dfshim.dll", "dfsshlex.dll", "dggpext.dll", "dhcpcmonitor.dll", "dhcpcore.dll", "dhcpcore6.dll", "dhcpcsvc.dll", "dhcpcsvc6.dll", "dhcpsapi.dll", "diagcpl.dll", "diagnosticlogcsp.dll", "diagperf.dll", "diagsvc.dll", "diagtrack.dll", "dialclient.dll", "dialserver.dll", "dictationmanager.dll", "difxapi.dll", "dimsjob.dll", "dimsroam.dll", "dinput.dll", "dinput8.dll", "direct2ddesktop.dll", "directml.dll", "discan.dll", "dismapi.dll", "dispbroker.dll", "dispex.dll", "display.dll", "displaymanager.dll", "dlnashext.dll", "dmappsres.dll", "dmcfgutils.dll", "dmcmnutils.dll", "dmcsps.dll", "dmdlgs.dll", "dmdskmgr.dll", "dmdskres.dll", "dmdskres2.dll", "dmenrollengine.dll", "dmintf.dll", "dmiso8601utils.dll", "dmloader.dll", "dmocx.dll", "dmoleaututils.dll", "dmpushproxy.dll", "dmpushroutercore.dll", "dmrcdecoder.dll", "dmrserver.dll", "dmsynth.dll", "dmusic.dll", "dmutil.dll", "dmvdsitf.dll", "dmwappushsvc.dll", "dmwmicsp.dll", "dmxmlhelputils.dll", "dnsapi.dll", "dnscmmc.dll", "dnsext.dll", "dnshc.dll", "dnsrslvr.dll", "docprop.dll", "dolbydecmft.dll", "domgmt.dll", "dosettings.dll", "dosvc.dll", "dot3api.dll", "dot3cfg.dll", "dot3conn.dll", "dot3dlg.dll", "dot3gpclnt.dll", "dot3gpui.dll", "dot3hc.dll", "dot3mm.dll", "dot3msm.dll", "dot3svc.dll", "dot3ui.dll", "dpapi.dll", "dpapiprovider.dll", "dpapisrv.dll", "dpnaddr.dll", "dpnathlp.dll", "dpnet.dll", "dpnhpast.dll", "dpnhupnp.dll", "dpnlobby.dll", "dps.dll", "dpx.dll", "drprov.dll", "drt.dll", "drtprov.dll", "drttransport.dll", "drvsetup.dll", "drvstore.dll", "dsauth.dll", "dsccore.dll", "dsccoreconfprov.dll", "dsclient.dll", "dscproxy.dll", "dsctimer.dll", "dsdmo.dll", "dskquota.dll", "dskquoui.dll", "dsound.dll", "dsparse.dll", "dsprop.dll", "dsquery.dll", "dsreg.dll", "dsregtask.dll", "dsrole.dll", "dssec.dll", "dssenh.dll", "dssvc.dll", "dsui.dll", "dsuiext.dll", "dswave.dll", "dtsh.dll", "ducsps.dll", "dui70.dll", "duser.dll", "dusmapi.dll", "dusmsvc.dll", "dwmapi.dll", "dwmcore.dll", "dwmghost.dll", "dwminit.dll", "dwmredir.dll", "dwmscene.dll", "dwrite.dll", "dxcore.dll", "dxdiagn.dll", "dxgi.dll", "dxgwdi.dll", "dxilconv.dll", "dxmasf.dll", "dxp.dll", "dxpps.dll", "dxptasksync.dll", "dxtmsft.dll", "dxtrans.dll", "dxva2.dll", "dynamoapi.dll", "eapp3hst.dll", "eappcfg.dll", "eappcfgui.dll", "eappgnui.dll", "eapphost.dll", "eappprxy.dll", "eapprovp.dll", "eapputil.dll", "eapsimextdesktop.dll", "eapsvc.dll", "eapteapauth.dll", "eapteapconfig.dll", "eapteapext.dll", "easconsent.dll", "easwrt.dll", "edgeangle.dll", "edgecontent.dll", "edgehtml.dll", "edgeiso.dll", "edgemanager.dll", "edpauditapi.dll", "edpcsp.dll", "edptask.dll", "edputil.dll", "eeprov.dll", "eeutil.dll", "efsadu.dll", "efscore.dll", "efsext.dll", "efslsaext.dll", "efssvc.dll", "efsutil.dll", "efswrt.dll", "ehstorapi.dll", "ehstorpwdmgr.dll", "ehstorshell.dll", "els.dll", "elscore.dll", "elshyph.dll", "elslad.dll", "elstrans.dll", "emailapis.dll", "embeddedmodesvc.dll", "emojids.dll", "encapi.dll", "energy.dll", "energyprov.dll", "energytask.dll", "enrollmentapi.dll", "enterpriseapncsp.dll", "enterprisecsps.dll", "enterpriseetw.dll", "eqossnap.dll", "errordetails.dll", "errordetailscore.dll", "es.dll", "esclprotocol.dll", "esclscan.dll", "esclwiadriver.dll", "esdsip.dll", "esent.dll", "esentprf.dll", "esevss.dll", "eshims.dll", "etwrundown.dll", "euiccscsp.dll", "eventaggregation.dll", "eventcls.dll", "evr.dll", "execmodelclient.dll", "execmodelproxy.dll", "explorerframe.dll", "exsmime.dll", "extrasxmlparser.dll", "f3ahvoas.dll", "facilitator.dll", "familysafetyext.dll", "faultrep.dll", "fcon.dll", "fdbth.dll", "fdbthproxy.dll", "fddevquery.dll", "fde.dll", "fdeploy.dll", "fdphost.dll", "fdpnp.dll", "fdprint.dll", "fdproxy.dll", "fdrespub.dll", "fdssdp.dll", "fdwcn.dll", "fdwnet.dll", "fdwsd.dll", "feclient.dll", "ffbroker.dll", "fhcat.dll", "fhcfg.dll", "fhcleanup.dll", "fhcpl.dll", "fhengine.dll", "fhevents.dll", "fhshl.dll", "fhsrchapi.dll", "fhsrchph.dll", "fhsvc.dll", "fhsvcctl.dll", "fhtask.dll", "fhuxadapter.dll", "fhuxapi.dll", "fhuxcommon.dll", "fhuxgraphics.dll", "fhuxpresentation.dll", "fidocredprov.dll", "filemgmt.dll", "filterds.dll", "findnetprinters.dll", "firewallapi.dll", "flightsettings.dll", "fltlib.dll", "fluencyds.dll", "fmapi.dll", "fmifs.dll", "fms.dll", "fntcache.dll", "fontext.dll", "fontprovider.dll", "fontsub.dll", "fphc.dll", "framedyn.dll", "framedynos.dll", "frameserver.dll", "frprov.dll", "fsutilext.dll", "fthsvc.dll", "fundisc.dll", "fveapi.dll", "fveapibase.dll", "fvecerts.dll", "fvecpl.dll", "fveskybackup.dll", "fveui.dll", "fvewiz.dll", "fwbase.dll", "fwcfg.dll", "fwmdmcsp.dll", "fwpolicyiomgr.dll", "fwpuclnt.dll", "fwremotesvr.dll", "gameinput.dll", "gamemode.dll", "gamestreamingext.dll", "gameux.dll", "gamingtcui.dll", "gcdef.dll", "gdi32.dll", "gdi32full.dll", "gdiplus.dll", "generaltel.dll", "geocommon.dll", "geolocation.dll", "getuname.dll", "glmf32.dll", "globinputhost.dll", "glu32.dll", "gmsaclient.dll", "gpapi.dll", "gpcsewrappercsp.dll", "gpedit.dll", "gpprefcl.dll", "gpprnext.dll", "gpscript.dll", "gpsvc.dll", "gptext.dll", "graphicscapture.dll", "graphicsperfsvc.dll", "groupinghc.dll", "hal.dll", "halextpl080.dll", "hascsp.dll", "hashtagds.dll", "hbaapi.dll", "hcproviders.dll", "hdcphandler.dll", "heatcore.dll", "helppaneproxy.dll", "hgcpl.dll", "hhsetup.dll", "hid.dll", "hidcfu.dll", "hidserv.dll", "hlink.dll", "hmkd.dll", "hnetcfg.dll", "hnetcfgclient.dll", "hnetmon.dll", "hologramworld.dll", "holoshellruntime.dll", "holoshextensions.dll", "hotplug.dll", "hrtfapo.dll", "httpapi.dll", "httpprxc.dll", "httpprxm.dll", "httpprxp.dll", "httpsdatasource.dll", "htui.dll", "hvhostsvc.dll", "hvloader.dll", "hvsigpext.dll", "hvsocket.dll", "hydrogen.dll", "ia2comproxy.dll", "ias.dll", "iasacct.dll", "iasads.dll", "iasdatastore.dll", "iashlpr.dll", "iasmigplugin.dll", "iasnap.dll", "iaspolcy.dll", "iasrad.dll", "iasrecst.dll", "iassam.dll", "iassdo.dll", "iassvcs.dll", "icfupgd.dll", "icm32.dll", "icmp.dll", "icmui.dll", "iconcodecservice.dll", "icsigd.dll", "icsvc.dll", "icsvcext.dll", "icu.dll", "icuin.dll", "icuuc.dll", "idctrls.dll", "idlisten.dll", "idndl.dll", "idstore.dll", "ieadvpack.dll", "ieapfltr.dll", "iedkcs32.dll", "ieframe.dll", "iemigplugin.dll", "iepeers.dll", "ieproxy.dll", "iernonce.dll", "iertutil.dll", "iesetup.dll", "iesysprep.dll", "ieui.dll", "ifmon.dll", "ifsutil.dll", "ifsutilx.dll", "igddiag.dll", "ihds.dll", "ikeext.dll", "imagehlp.dll", "imageres.dll", "imagesp1.dll", "imapi.dll", "imapi2.dll", "imapi2fs.dll", "imgutil.dll", "imm32.dll", "implatsetup.dll", "indexeddblegacy.dll", "inetcomm.dll", "inetmib1.dll", "inetpp.dll", "inetppui.dll", "inetres.dll", "inked.dll", "inkobjcore.dll", "inproclogger.dll", "input.dll", "inputcloudstore.dll", "inputcontroller.dll", "inputhost.dll", "inputservice.dll", "inputswitch.dll", "inseng.dll", "installservice.dll", "internetmail.dll", "internetmailcsp.dll", "invagent.dll", "iologmsg.dll", "iphlpapi.dll", "iphlpsvc.dll", "ipnathlp.dll", "ipnathlpclient.dll", "ippcommon.dll", "ippcommonproxy.dll", "iprtprio.dll", "iprtrmgr.dll", "ipsecsnp.dll", "ipsecsvc.dll", "ipsmsnap.dll", "ipxlatcfg.dll", "iri.dll", "iscsicpl.dll", "iscsidsc.dll", "iscsied.dll", "iscsiexe.dll", "iscsilog.dll", "iscsium.dll", "iscsiwmi.dll", "iscsiwmiv2.dll", "ism.dll", "itircl.dll", "itss.dll", "iuilp.dll", "iumbase.dll", "iumcrypt.dll", "iumdll.dll", "iumsdk.dll", "iyuv_32.dll", "joinproviderol.dll", "joinutil.dll", "jpmapcontrol.dll", "jpndecoder.dll", "jpninputrouter.dll", "jpnranker.dll", "jpnserviceds.dll", "jscript.dll", "jscript9.dll", "jscript9diag.dll", "jsproxy.dll", "kbd101.dll", "kbd101a.dll", "kbd101b.dll", "kbd101c.dll", "kbd103.dll", "kbd106.dll", "kbd106n.dll", "kbda1.dll", "kbda2.dll", "kbda3.dll", "kbdadlm.dll", "kbdal.dll", "kbdarme.dll", "kbdarmph.dll", "kbdarmty.dll", "kbdarmw.dll", "kbdax2.dll", "kbdaze.dll", "kbdazel.dll", "kbdazst.dll", "kbdbash.dll", "kbdbe.dll", "kbdbene.dll", "kbdbgph.dll", "kbdbgph1.dll", "kbdbhc.dll", "kbdblr.dll", "kbdbr.dll", "kbdbu.dll", "kbdbug.dll", "kbdbulg.dll", "kbdca.dll", "kbdcan.dll", "kbdcher.dll", "kbdcherp.dll", "kbdcr.dll", "kbdcz.dll", "kbdcz1.dll", "kbdcz2.dll", "kbdda.dll", "kbddiv1.dll", "kbddiv2.dll", "kbddv.dll", "kbddzo.dll", "kbdes.dll", "kbdest.dll", "kbdfa.dll", "kbdfar.dll", "kbdfc.dll", "kbdfi.dll", "kbdfi1.dll", "kbdfo.dll", "kbdfr.dll", "kbdfthrk.dll", "kbdgae.dll", "kbdgeo.dll", "kbdgeoer.dll", "kbdgeome.dll", "kbdgeooa.dll", "kbdgeoqw.dll", "kbdgkl.dll", "kbdgn.dll", "kbdgr.dll", "kbdgr1.dll", "kbdgrlnd.dll", "kbdgthc.dll", "kbdhau.dll", "kbdhaw.dll", "kbdhe.dll", "kbdhe220.dll", "kbdhe319.dll", "kbdheb.dll", "kbdhebl3.dll", "kbdhela2.dll", "kbdhela3.dll", "kbdhept.dll", "kbdhu.dll", "kbdhu1.dll", "kbdibm02.dll", "kbdibo.dll", "kbdic.dll", "kbdinasa.dll", "kbdinbe1.dll", "kbdinbe2.dll", "kbdinben.dll", "kbdindev.dll", "kbdinen.dll", "kbdinguj.dll", "kbdinhin.dll", "kbdinkan.dll", "kbdinmal.dll", "kbdinmar.dll", "kbdinori.dll", "kbdinpun.dll", "kbdintam.dll", "kbdintel.dll", "kbdinuk2.dll", "kbdir.dll", "kbdit.dll", "kbdit142.dll", "kbdiulat.dll", "kbdjav.dll", "kbdjpn.dll", "kbdkaz.dll", "kbdkhmr.dll", "kbdkni.dll", "kbdkor.dll", "kbdkurd.dll", "kbdkyr.dll", "kbdla.dll", "kbdlao.dll", "kbdlisub.dll", "kbdlisus.dll", "kbdlk41a.dll", "kbdlt.dll", "kbdlt1.dll", "kbdlt2.dll", "kbdlv.dll", "kbdlv1.dll", "kbdlvst.dll", "kbdmac.dll", "kbdmacst.dll", "kbdmaori.dll", "kbdmlt47.dll", "kbdmlt48.dll", "kbdmon.dll", "kbdmonmo.dll", "kbdmonst.dll", "kbdmyan.dll", "kbdne.dll", "kbdnec.dll", "kbdnec95.dll", "kbdnecat.dll", "kbdnecnt.dll", "kbdnepr.dll", "kbdnko.dll", "kbdno.dll", "kbdno1.dll", "kbdnso.dll", "kbdntl.dll", "kbdogham.dll", "kbdolch.dll", "kbdoldit.dll", "kbdosa.dll", "kbdosm.dll", "kbdpash.dll", "kbdphags.dll", "kbdpl.dll", "kbdpl1.dll", "kbdpo.dll", "kbdro.dll", "kbdropr.dll", "kbdrost.dll", "kbdru.dll", "kbdru1.dll", "kbdrum.dll", "kbdsf.dll", "kbdsg.dll", "kbdsl.dll", "kbdsl1.dll", "kbdsmsfi.dll", "kbdsmsno.dll", "kbdsn1.dll", "kbdsora.dll", "kbdsorex.dll", "kbdsors1.dll", "kbdsorst.dll", "kbdsp.dll", "kbdsw.dll", "kbdsw09.dll", "kbdsyr1.dll", "kbdsyr2.dll", "kbdtaile.dll", "kbdtajik.dll", "kbdtam99.dll", "kbdtat.dll", "kbdth0.dll", "kbdth1.dll", "kbdth2.dll", "kbdth3.dll", "kbdtifi.dll", "kbdtifi2.dll", "kbdtiprc.dll", "kbdtiprd.dll", "kbdtt102.dll", "kbdtuf.dll", "kbdtuq.dll", "kbdturme.dll", "kbdtzm.dll", "kbdughr.dll", "kbdughr1.dll", "kbduk.dll", "kbdukx.dll", "kbdur.dll", "kbdur1.dll", "kbdurdu.dll", "kbdus.dll", "kbdusa.dll", "kbdusl.dll", "kbdusr.dll", "kbdusx.dll", "kbduzb.dll", "kbdvntc.dll", "kbdwol.dll", "kbdyak.dll", "kbdyba.dll", "kbdycc.dll", "kbdycl.dll", "kd.dll", "kdcom.dll", "kdcpw.dll", "kdhvcom.dll", "kdnet.dll", "kdnet_uart16550.dll", "kdscli.dll", "kdstub.dll", "kdusb.dll", "kd_02_10df.dll", "kd_02_10ec.dll", "kd_02_1137.dll", "kd_02_14e4.dll", "kd_02_15b3.dll", "kd_02_1969.dll", "kd_02_19a2.dll", "kd_02_1af4.dll", "kd_02_8086.dll", "kd_07_1415.dll", "kd_0c_8086.dll", "kerbclientshared.dll", "kerberos.dll", "kernel32.dll", "kernelbase.dll", "keycredmgr.dll", "keyiso.dll", "keymgr.dll", "knobscore.dll", "knobscsp.dll", "ksuser.dll", "ktmw32.dll", "l2gpstore.dll", "l2nacp.dll", "l2sechc.dll", "laprxy.dll", "legacynetux.dll", "lfsvc.dll", "libcrypto.dll", "licensemanager.dll", "licensingcsp.dll", "licensingdiagspp.dll", "licensingwinrt.dll", "licmgr10.dll", "linkinfo.dll", "lltdapi.dll", "lltdres.dll", "lltdsvc.dll", "lmhsvc.dll", "loadperf.dll", "localsec.dll", "localspl.dll", "localui.dll", "locationapi.dll", "lockappbroker.dll", "lockcontroller.dll", "lockscreendata.dll", "loghours.dll", "logoncli.dll", "logoncontroller.dll", "lpasvc.dll", "lpk.dll", "lsasrv.dll", "lscshostpolicy.dll", "lsm.dll", "lsmproxy.dll", "lstelemetry.dll", "luainstall.dll", "luiapi.dll", "lz32.dll", "magnification.dll", "maintenanceui.dll", "manageci.dll", "mapconfiguration.dll", "mapcontrolcore.dll", "mapgeocoder.dll", "mapi32.dll", "mapistub.dll", "maprouter.dll", "mapsbtsvc.dll", "mapsbtsvcproxy.dll", "mapscsp.dll", "mapsstore.dll", "mapstoasttask.dll", "mapsupdatetask.dll", "mbaeapi.dll", "mbaeapipublic.dll", "mbaexmlparser.dll", "mbmediamanager.dll", "mbsmsapi.dll", "mbussdapi.dll", "mccsengineshared.dll", "mccspal.dll", "mciavi32.dll", "mcicda.dll", "mciqtz32.dll", "mciseq.dll", "mciwave.dll", "mcrecvsrc.dll", "mdmcommon.dll", "mdmdiagnostics.dll", "mdminst.dll", "mdmmigrator.dll", "mdmregistration.dll", "memorydiagnostic.dll", "messagingservice.dll", "mf.dll", "mf3216.dll", "mfaacenc.dll", "mfasfsrcsnk.dll", "mfaudiocnv.dll", "mfc42.dll", "mfc42u.dll", "mfcaptureengine.dll", "mfcore.dll", "mfcsubs.dll", "mfds.dll", "mfdvdec.dll", "mferror.dll", "mfh263enc.dll", "mfh264enc.dll", "mfksproxy.dll", "mfmediaengine.dll", "mfmjpegdec.dll", "mfmkvsrcsnk.dll", "mfmp4srcsnk.dll", "mfmpeg2srcsnk.dll", "mfnetcore.dll", "mfnetsrc.dll", "mfperfhelper.dll", "mfplat.dll", "mfplay.dll", "mfps.dll", "mfreadwrite.dll", "mfsensorgroup.dll", "mfsrcsnk.dll", "mfsvr.dll", "mftranscode.dll", "mfvdsp.dll", "mfvfw.dll", "mfwmaaec.dll", "mgmtapi.dll", "mi.dll", "mibincodec.dll", "midimap.dll", "migisol.dll", "miguiresource.dll", "mimefilt.dll", "mimofcodec.dll", "minstoreevents.dll", "miracastinputmgr.dll", "miracastreceiver.dll", "mirrordrvcompat.dll", "mispace.dll", "mitigationclient.dll", "miutils.dll", "mlang.dll", "mmcbase.dll", "mmcndmgr.dll", "mmcshext.dll", "mmdevapi.dll", "mmgaclient.dll", "mmgaproxystub.dll", "mmres.dll", "mobilenetworking.dll", "modemui.dll", "modernexecserver.dll", "moricons.dll", "moshost.dll", "moshostclient.dll", "moshostcore.dll", "mosstorage.dll", "mp3dmod.dll", "mp43decd.dll", "mp4sdecd.dll", "mpeval.dll", "mpg4decd.dll", "mpr.dll", "mprapi.dll", "mprddm.dll", "mprdim.dll", "mprext.dll", "mprmsg.dll", "mpssvc.dll", "mpunits.dll", "mrmcorer.dll", "mrmdeploy.dll", "mrmindexer.dll", "mrt100.dll", "mrt_map.dll", "msaatext.dll", "msac3enc.dll", "msacm32.dll", "msafd.dll", "msajapi.dll", "msalacdecoder.dll", "msalacencoder.dll", "msamrnbdecoder.dll", "msamrnbencoder.dll", "msamrnbsink.dll", "msamrnbsource.dll", "msasn1.dll", "msauddecmft.dll", "msaudite.dll", "msauserext.dll", "mscandui.dll", "mscat32.dll", "msclmd.dll", "mscms.dll", "mscoree.dll", "mscorier.dll", "mscories.dll", "msctf.dll", "msctfmonitor.dll", "msctfp.dll", "msctfui.dll", "msctfuimanager.dll", "msdadiag.dll", "msdart.dll", "msdelta.dll", "msdmo.dll", "msdrm.dll", "msdtckrm.dll", "msdtclog.dll", "msdtcprx.dll", "msdtcspoffln.dll", "msdtctm.dll", "msdtcuiu.dll", "msdtcvsp1res.dll", "msfeeds.dll", "msfeedsbs.dll", "msflacdecoder.dll", "msflacencoder.dll", "msftedit.dll", "msheif.dll", "mshtml.dll", "mshtmldac.dll", "mshtmled.dll", "mshtmler.dll", "msi.dll", "msicofire.dll", "msidcrl40.dll", "msident.dll", "msidle.dll", "msidntld.dll", "msieftp.dll", "msihnd.dll", "msiltcfg.dll", "msimg32.dll", "msimsg.dll", "msimtf.dll", "msisip.dll", "msiso.dll", "msiwer.dll", "mskeyprotcli.dll", "mskeyprotect.dll", "msls31.dll", "msmpeg2adec.dll", "msmpeg2enc.dll", "msmpeg2vdec.dll", "msobjs.dll", "msoert2.dll", "msopusdecoder.dll", "mspatcha.dll", "mspatchc.dll", "msphotography.dll", "msports.dll", "msprivs.dll", "msrahc.dll", "msrating.dll", "msrawimage.dll", "msrdc.dll", "msrdpwebaccess.dll", "msrle32.dll", "msscntrs.dll", "mssecuser.dll", "mssign32.dll", "mssip32.dll", "mssitlb.dll", "mssph.dll", "mssprxy.dll", "mssrch.dll", "mssvp.dll", "mstask.dll", "mstextprediction.dll", "mstscax.dll", "msutb.dll", "msv1_0.dll", "msvcirt.dll", "msvcp110_win.dll", "msvcp120_clr0400.dll", "msvcp140_clr0400.dll", "msvcp60.dll", "msvcp_win.dll", "msvcr100_clr0400.dll", "msvcr120_clr0400.dll", "msvcrt.dll", "msvfw32.dll", "msvidc32.dll", "msvidctl.dll", "msvideodsp.dll", "msvp9dec.dll", "msvproc.dll", "msvpxenc.dll", "mswb7.dll", "mswebp.dll", "mswmdm.dll", "mswsock.dll", "msxml3.dll", "msxml3r.dll", "msxml6.dll", "msxml6r.dll", "msyuv.dll", "mtcmodel.dll", "mtf.dll", "mtfappserviceds.dll", "mtfdecoder.dll", "mtffuzzyds.dll", "mtfserver.dll", "mtfspellcheckds.dll", "mtxclu.dll", "mtxdm.dll", "mtxex.dll", "mtxoci.dll", "muifontsetup.dll", "mycomput.dll", "mydocs.dll", "napcrypt.dll", "napinsp.dll", "naturalauth.dll", "naturallanguage6.dll", "navshutdown.dll", "ncaapi.dll", "ncasvc.dll", "ncbservice.dll", "ncdautosetup.dll", "ncdprop.dll", "nci.dll", "ncobjapi.dll", "ncrypt.dll", "ncryptprov.dll", "ncryptsslp.dll", "ncsi.dll", "ncuprov.dll", "nddeapi.dll", "ndfapi.dll", "ndfetw.dll", "ndfhcdiscovery.dll", "ndishc.dll", "ndproxystub.dll", "nduprov.dll", "negoexts.dll", "netapi32.dll", "netbios.dll", "netcenter.dll", "netcfgx.dll", "netcorehc.dll", "netdiagfx.dll", "netdriverinstall.dll", "netevent.dll", "netfxperf.dll", "neth.dll", "netid.dll", "netiohlp.dll", "netjoin.dll", "netlogon.dll", "netman.dll", "netmsg.dll", "netplwiz.dll", "netprofm.dll", "netprofmsvc.dll", "netprovfw.dll", "netprovisionsp.dll", "netsetupapi.dll", "netsetupengine.dll", "netsetupshim.dll", "netsetupsvc.dll", "netshell.dll", "nettrace.dll", "netutils.dll", "networkexplorer.dll", "networkhelper.dll", "networkicon.dll", "networkproxycsp.dll", "networkstatus.dll", "networkuxbroker.dll", "newdev.dll", "nfcradiomedia.dll", "ngccredprov.dll", "ngcctnr.dll", "ngcctnrsvc.dll", "ngcisoctnr.dll", "ngckeyenum.dll", "ngcksp.dll", "ngclocal.dll", "ngcpopkeysrv.dll", "ngcprocsp.dll", "ngcrecovery.dll", "ngcsvc.dll", "ngctasks.dll", "ninput.dll", "nlaapi.dll", "nlahc.dll", "nlasvc.dll", "nlhtml.dll", "nlmgp.dll", "nlmproxy.dll", "nlmsprep.dll", "nlsbres.dll", "nlsdata0000.dll", "nlsdata0009.dll", "nlsdl.dll", "nlslexicons0009.dll", "nmadirect.dll", "normaliz.dll", "npmproxy.dll", "npsm.dll", "nrpsrv.dll", "nshhttp.dll", "nshipsec.dll", "nshwfp.dll", "nsi.dll", "nsisvc.dll", "ntasn1.dll", "ntdll.dll", "ntdsapi.dll", "ntlanman.dll", "ntlanui2.dll", "ntlmshared.dll", "ntmarta.dll", "ntprint.dll", "ntshrui.dll", "ntvdm64.dll", "objsel.dll", "occache.dll", "ocsetapi.dll", "odbc32.dll", "odbcbcp.dll", "odbcconf.dll", "odbccp32.dll", "odbccr32.dll", "odbccu32.dll", "odbcint.dll", "odbctrac.dll", "oemlicense.dll", "offfilt.dll", "officecsp.dll", "offlinelsa.dll", "offlinesam.dll", "offreg.dll", "ole32.dll", "oleacc.dll", "oleacchooks.dll", "oleaccrc.dll", "oleaut32.dll", "oledlg.dll", "oleprn.dll", "omadmagent.dll", "omadmapi.dll", "onebackuphandler.dll", "onex.dll", "onexui.dll", "opcservices.dll", "opengl32.dll", "ortcengine.dll", "osbaseln.dll", "osksupport.dll", "osuninst.dll", "p2p.dll", "p2pgraph.dll", "p2pnetsh.dll", "p2psvc.dll", "packager.dll", "panmap.dll", "pautoenr.dll", "pcacli.dll", "pcadm.dll", "pcaevts.dll", "pcasvc.dll", "pcaui.dll", "pcpksp.dll", "pcsvdevice.dll", "pcwum.dll", "pcwutl.dll", "pdh.dll", "pdhui.dll", "peerdist.dll", "peerdistad.dll", "peerdistcleaner.dll", "peerdistsh.dll", "peerdistsvc.dll", "peopleapis.dll", "peopleband.dll", "perceptiondevice.dll", "perfctrs.dll", "perfdisk.dll", "perfnet.dll", "perfos.dll", "perfproc.dll", "perfts.dll", "phoneom.dll", "phoneproviders.dll", "phoneservice.dll", "phoneserviceres.dll", "phoneutil.dll", "phoneutilres.dll", "photowiz.dll", "pickerplatform.dll", "pid.dll", "pidgenx.dll", "pifmgr.dll", "pimstore.dll", "pkeyhelper.dll", "pktmonapi.dll", "pku2u.dll", "pla.dll", "playlistfolder.dll", "playsndsrv.dll", "playtodevice.dll", "playtomanager.dll", "playtomenu.dll", "playtoreceiver.dll", "ploptin.dll", "pmcsnap.dll", "pngfilt.dll", "pnidui.dll", "pnpclean.dll", "pnppolicy.dll", "pnpts.dll", "pnpui.dll", "pnpxassoc.dll", "pnpxassocprx.dll", "pnrpauto.dll", "pnrphc.dll", "pnrpnsp.dll", "pnrpsvc.dll", "policymanager.dll", "polstore.dll", "posetup.dll", "posyncservices.dll", "pots.dll", "powercpl.dll", "powrprof.dll", "ppcsnap.dll", "prauthproviders.dll", "prflbmsg.dll", "printui.dll", "printwsdahost.dll", "prm0009.dll", "prncache.dll", "prnfldr.dll", "prnntfy.dll", "prntvpt.dll", "profapi.dll", "profext.dll", "profprov.dll", "profsvc.dll", "profsvcext.dll", "propsys.dll", "provcore.dll", "provdatastore.dll", "provdiagnostics.dll", "provengine.dll", "provhandlers.dll", "provisioningcsp.dll", "provmigrate.dll", "provops.dll", "provplugineng.dll", "provsysprep.dll", "provthrd.dll", "proximitycommon.dll", "proximityservice.dll", "prvdmofcomp.dll", "psapi.dll", "pshed.dll", "psisdecd.dll", "psmsrv.dll", "pstask.dll", "pstorec.dll", "ptpprov.dll", "puiapi.dll", "puiobj.dll", "pushtoinstall.dll", "pwlauncher.dll", "pwrshplugin.dll", "pwsso.dll", "qasf.dll", "qcap.dll", "qdv.dll", "qdvd.dll", "qedit.dll", "qedwipes.dll", "qmgr.dll", "query.dll", "quiethours.dll", "qwave.dll", "racengn.dll", "racpldlg.dll", "radardt.dll", "radarrs.dll", "radcui.dll", "rasadhlp.dll", "rasapi32.dll", "rasauto.dll", "raschap.dll", "raschapext.dll", "rasctrs.dll", "rascustom.dll", "rasdiag.dll", "rasdlg.dll", "rasgcw.dll", "rasman.dll", "rasmans.dll", "rasmbmgr.dll", "rasmediamanager.dll", "rasmm.dll", "rasmontr.dll", "rasplap.dll", "rasppp.dll", "rastapi.dll", "rastls.dll", "rastlsext.dll", "rdbui.dll", "rdpbase.dll", "rdpcfgex.dll", "rdpcore.dll", "rdpcorets.dll", "rdpencom.dll", "rdpendp.dll", "rdpnano.dll", "rdpsaps.dll", "rdpserverbase.dll", "rdpsharercom.dll", "rdpudd.dll", "rdpviewerax.dll", "rdsappxhelper.dll", "rdsdwmdr.dll", "rdvvmtransport.dll", "rdxservice.dll", "rdxtaskfactory.dll", "reagent.dll", "reagenttask.dll", "recovery.dll", "regapi.dll", "regctrl.dll", "regidle.dll", "regsvc.dll", "reguwpapi.dll", "reinfo.dll", "remotepg.dll", "remotewipecsp.dll", "reportingcsp.dll", "resampledmo.dll", "resbparser.dll", "reseteng.dll", "resetengine.dll", "resetengonline.dll", "resourcemapper.dll", "resutils.dll", "rgb9rast.dll", "riched20.dll", "riched32.dll", "rjvmdmconfig.dll", "rmapi.dll", "rmclient.dll", "rnr20.dll", "roamingsecurity.dll", "rometadata.dll", "rotmgr.dll", "rpcepmap.dll", "rpchttp.dll", "rpcns4.dll", "rpcnsh.dll", "rpcrt4.dll", "rpcrtremote.dll", "rpcss.dll", "rsaenh.dll", "rshx32.dll", "rstrtmgr.dll", "rtffilt.dll", "rtm.dll", "rtmediaframe.dll", "rtmmvrortc.dll", "rtutils.dll", "rtworkq.dll", "rulebasedds.dll", "samcli.dll", "samlib.dll", "samsrv.dll", "sas.dll", "sbe.dll", "sbeio.dll", "sberes.dll", "sbservicetrigger.dll", "scansetting.dll", "scardbi.dll", "scarddlg.dll", "scardsvr.dll", "scavengeui.dll", "scdeviceenum.dll", "scecli.dll", "scesrv.dll", "schannel.dll", "schedcli.dll", "schedsvc.dll", "scksp.dll", "scripto.dll", "scrobj.dll", "scrptadm.dll", "scrrun.dll", "sdcpl.dll", "sdds.dll", "sdengin2.dll", "sdfhost.dll", "sdhcinst.dll", "sdiageng.dll", "sdiagprv.dll", "sdiagschd.dll", "sdohlp.dll", "sdrsvc.dll", "sdshext.dll", "searchfolder.dll", "sechost.dll", "seclogon.dll", "secproc.dll", "secproc_isv.dll", "secproc_ssp.dll", "secproc_ssp_isv.dll", "secur32.dll", "security.dll", "semgrps.dll", "semgrsvc.dll", "sendmail.dll", "sens.dll", "sensapi.dll", "sensorsapi.dll", "sensorscpl.dll", "sensorservice.dll", "sensorsnativeapi.dll", "sensorsutilsv2.dll", "sensrsvc.dll", "serialui.dll", "servicinguapi.dll", "serwvdrv.dll", "sessenv.dll", "setbcdlocale.dll", "settingmonitor.dll", "settingsync.dll", "settingsynccore.dll", "setupapi.dll", "setupcl.dll", "setupcln.dll", "setupetw.dll", "sfc.dll", "sfc_os.dll", "sgrmenclave.dll", "shacct.dll", "shacctprofile.dll", "sharedpccsp.dll", "sharedrealitysvc.dll", "sharehost.dll", "sharemediacpl.dll", "shcore.dll", "shdocvw.dll", "shell32.dll", "shellstyle.dll", "shfolder.dll", "shgina.dll", "shimeng.dll", "shimgvw.dll", "shlwapi.dll", "shpafact.dll", "shsetup.dll", "shsvcs.dll", "shunimpl.dll", "shutdownext.dll", "shutdownux.dll", "shwebsvc.dll", "signdrv.dll", "simauth.dll", "simcfg.dll", "skci.dll", "slc.dll", "slcext.dll", "slwga.dll", "smartscreenps.dll", "smbhelperclass.dll", "smbwmiv2.dll", "smiengine.dll", "smphost.dll", "smsroutersvc.dll", "sndvolsso.dll", "snmpapi.dll", "socialapis.dll", "softkbd.dll", "softpub.dll", "sortwindows61.dll", "sortwindows62.dll", "spacebridge.dll", "spacecontrol.dll", "spatializerapo.dll", "spatialstore.dll", "spbcd.dll", "speechpal.dll", "spfileq.dll", "spinf.dll", "spmpm.dll", "spnet.dll", "spoolss.dll", "spopk.dll", "spp.dll", "sppc.dll", "sppcext.dll", "sppcomapi.dll", "sppcommdlg.dll", "sppinst.dll", "sppnp.dll", "sppobjs.dll", "sppwinob.dll", "sppwmi.dll", "spwinsat.dll", "spwizeng.dll", "spwizimg.dll", "spwizres.dll", "spwmp.dll", "sqlsrv32.dll", "sqmapi.dll", "srchadmin.dll", "srclient.dll", "srcore.dll", "srevents.dll", "srh.dll", "srhelper.dll", "srm.dll", "srmclient.dll", "srmlib.dll", "srmscan.dll", "srmshell.dll", "srmstormod.dll", "srmtrace.dll", "srm_ps.dll", "srpapi.dll", "srrstr.dll", "srumapi.dll", "srumsvc.dll", "srvcli.dll", "srvsvc.dll", "srwmi.dll", "sscore.dll", "sscoreext.dll", "ssdm.dll", "ssdpapi.dll", "ssdpsrv.dll", "sspicli.dll", "sspisrv.dll", "ssshim.dll", "sstpsvc.dll", "starttiledata.dll", "startupscan.dll", "stclient.dll", "sti.dll", "sti_ci.dll", "stobject.dll", "storageusage.dll", "storagewmi.dll", "storewuauth.dll", "storprop.dll", "storsvc.dll", "streamci.dll", "structuredquery.dll", "sud.dll", "svf.dll", "svsvc.dll", "swprv.dll", "sxproxy.dll", "sxs.dll", "sxshared.dll", "sxssrv.dll", "sxsstore.dll", "synccenter.dll", "synccontroller.dll", "synchostps.dll", "syncproxy.dll", "syncreg.dll", "syncres.dll", "syncsettings.dll", "syncutil.dll", "sysclass.dll", "sysfxui.dll", "sysmain.dll", "sysntfy.dll", "syssetup.dll", "systemcpl.dll", "t2embed.dll", "tabbtn.dll", "tabbtnex.dll", "tabsvc.dll", "tapi3.dll", "tapi32.dll", "tapilua.dll", "tapimigplugin.dll", "tapiperf.dll", "tapisrv.dll", "tapisysprep.dll", "tapiui.dll", "taskapis.dll", "taskbarcpl.dll", "taskcomp.dll", "taskschd.dll", "taskschdps.dll", "tbauth.dll", "tbs.dll", "tcbloader.dll", "tcpipcfg.dll", "tcpmib.dll", "tcpmon.dll", "tcpmonui.dll", "tdh.dll", "tdlmigration.dll", "tellib.dll", "termmgr.dll", "termsrv.dll", "tetheringclient.dll", "tetheringmgr.dll", "tetheringservice.dll", "tetheringstation.dll", "textshaping.dll", "themecpl.dll", "themeservice.dll", "themeui.dll", "threadpoolwinrt.dll", "thumbcache.dll", "timebrokerclient.dll", "timebrokerserver.dll", "timesync.dll", "timesynctask.dll", "tlscsp.dll", "tokenbinding.dll", "tokenbroker.dll", "tokenbrokerui.dll", "tpmcertresources.dll", "tpmcompc.dll", "tpmtasks.dll", "tpmvsc.dll", "tquery.dll", "traffic.dll", "transportdsa.dll", "trie.dll", "trkwks.dll", "tsbyuv.dll", "tscfgwmi.dll", "tserrredir.dll", "tsf3gip.dll", "tsgqec.dll", "tsmf.dll", "tspkg.dll", "tspubwmi.dll", "tssessionux.dll", "tssrvlic.dll", "tsworkspace.dll", "ttdloader.dll", "ttdplm.dll", "ttdrecord.dll", "ttdrecordcpu.dll", "ttlsauth.dll", "ttlscfg.dll", "ttlsext.dll", "tvratings.dll", "twext.dll", "twinapi.dll", "twinui.dll", "txflog.dll", "txfw32.dll", "tzautoupdate.dll", "tzres.dll", "tzsyncres.dll", "ubpm.dll", "ucmhc.dll", "ucrtbase.dll", "ucrtbase_clr0400.dll", "ucrtbase_enclave.dll", "udhisapi.dll", "udwm.dll", "ueficsp.dll", "uexfat.dll", "ufat.dll", "uiamanager.dll", "uianimation.dll", "uiautomationcore.dll", "uicom.dll", "uireng.dll", "uiribbon.dll", "uiribbonres.dll", "ulib.dll", "umb.dll", "umdmxfrm.dll", "umpdc.dll", "umpnpmgr.dll", "umpo-overrides.dll", "umpo.dll", "umpoext.dll", "umpowmi.dll", "umrdp.dll", "unattend.dll", "unenrollhook.dll", "unimdmat.dll", "uniplat.dll", "unistore.dll", "untfs.dll", "updateagent.dll", "updatecsp.dll", "updatepolicy.dll", "upnp.dll", "upnphost.dll", "upshared.dll", "urefs.dll", "urefsv1.dll", "ureg.dll", "url.dll", "urlmon.dll", "usbcapi.dll", "usbceip.dll", "usbmon.dll", "usbperf.dll", "usbpmapi.dll", "usbtask.dll", "usbui.dll", "user32.dll", "usercpl.dll", "userdataservice.dll", "userdatatimeutil.dll", "userenv.dll", "userinitext.dll", "usermgr.dll", "usermgrcli.dll", "usermgrproxy.dll", "usoapi.dll", "usocoreps.dll", "usosvc.dll", "usp10.dll", "ustprov.dll", "utcutil.dll", "utildll.dll", "uudf.dll", "uvcmodel.dll", "uwfcfgmgmt.dll", "uwfcsp.dll", "uwfservicingapi.dll", "uxinit.dll", "uxlib.dll", "uxlibres.dll", "uxtheme.dll", "vac.dll", "van.dll", "vault.dll", "vaultcds.dll", "vaultcli.dll", "vaultroaming.dll", "vaultsvc.dll", "vbsapi.dll", "vbscript.dll", "vbssysprep.dll", "vcardparser.dll", "vdsbas.dll", "vdsdyn.dll", "vdsutil.dll", "vdsvd.dll", "vds_ps.dll", "verifier.dll", "version.dll", "vertdll.dll", "vfuprov.dll", "vfwwdm32.dll", "vhfum.dll", "vid.dll", "videohandlers.dll", "vidreszr.dll", "virtdisk.dll", "vmbuspipe.dll", "vmdevicehost.dll", "vmictimeprovider.dll", "vmrdvcore.dll", "voiprt.dll", "vpnike.dll", "vpnikeapi.dll", "vpnsohdesktop.dll", "vpnv2csp.dll", "vscmgrps.dll", "vssapi.dll", "vsstrace.dll", "vss_ps.dll", "w32time.dll", "w32topl.dll", "waasassessment.dll", "waasmediccapsule.dll", "waasmedicps.dll", "waasmedicsvc.dll", "wabsyncprovider.dll", "walletproxy.dll", "walletservice.dll", "wavemsp.dll", "wbemcomn.dll", "wbiosrvc.dll", "wci.dll", "wcimage.dll", "wcmapi.dll", "wcmcsp.dll", "wcmsvc.dll", "wcnapi.dll", "wcncsvc.dll", "wcneapauthproxy.dll", "wcneappeerproxy.dll", "wcnnetsh.dll", "wcnwiz.dll", "wc_storage.dll", "wdc.dll", "wdi.dll", "wdigest.dll", "wdscore.dll", "webauthn.dll", "webcamui.dll", "webcheck.dll", "webclnt.dll", "webio.dll", "webservices.dll", "websocket.dll", "wecapi.dll", "wecsvc.dll", "wephostsvc.dll", "wer.dll", "werconcpl.dll", "wercplsupport.dll", "werenc.dll", "weretw.dll", "wersvc.dll", "werui.dll", "wevtapi.dll", "wevtfwd.dll", "wevtsvc.dll", "wfapigp.dll", "wfdprov.dll", "wfdsconmgr.dll", "wfdsconmgrsvc.dll", "wfhc.dll", "whealogr.dll", "whhelper.dll", "wiaaut.dll", "wiadefui.dll", "wiadss.dll", "wiarpc.dll", "wiascanprofiles.dll", "wiaservc.dll", "wiashext.dll", "wiatrace.dll", "wificloudstore.dll", "wificonfigsp.dll", "wifidisplay.dll", "wimgapi.dll", "win32spl.dll", "win32u.dll", "winbio.dll", "winbiodatamodel.dll", "winbioext.dll", "winbrand.dll", "wincorlib.dll", "wincredprovider.dll", "wincredui.dll", "windowmanagement.dll", "windowscodecs.dll", "windowscodecsext.dll", "windowscodecsraw.dll", "windowsiotcsp.dll", "windowslivelogin.dll", "winethc.dll", "winhttp.dll", "winhttpcom.dll", "winhvemulation.dll", "winhvplatform.dll", "wininet.dll", "wininetlui.dll", "wininitext.dll", "winipcfile.dll", "winipcsecproc.dll", "winipsec.dll", "winlangdb.dll", "winlogonext.dll", "winmde.dll", "winml.dll", "winmm.dll", "winmmbase.dll", "winmsipc.dll", "winnlsres.dll", "winnsi.dll", "winreagent.dll", "winrnr.dll", "winrscmd.dll", "winrsmgr.dll", "winrssrv.dll", "winrttracing.dll", "winsatapi.dll", "winscard.dll", "winsetupui.dll", "winshfhc.dll", "winsku.dll", "winsockhc.dll", "winsqlite3.dll", "winsrpc.dll", "winsrv.dll", "winsrvext.dll", "winsta.dll", "winsync.dll", "winsyncmetastore.dll", "winsyncproviders.dll", "wintrust.dll", "wintypes.dll", "winusb.dll", "wirednetworkcsp.dll", "wisp.dll", "wkscli.dll", "wkspbrokerax.dll", "wksprtps.dll", "wkssvc.dll", "wlanapi.dll", "wlancfg.dll", "wlanconn.dll", "wlandlg.dll", "wlangpui.dll", "wlanhc.dll", "wlanhlp.dll", "wlanmediamanager.dll", "wlanmm.dll", "wlanmsm.dll", "wlanpref.dll", "wlanradiomanager.dll", "wlansec.dll", "wlansvc.dll", "wlansvcpal.dll", "wlanui.dll", "wlanutil.dll", "wldap32.dll", "wldp.dll", "wlgpclnt.dll", "wlidcli.dll", "wlidcredprov.dll", "wlidfdp.dll", "wlidnsp.dll", "wlidprov.dll", "wlidres.dll", "wlidsvc.dll", "wmadmod.dll", "wmadmoe.dll", "wmalfxgfxdsp.dll", "wmasf.dll", "wmcodecdspps.dll", "wmdmlog.dll", "wmdmps.dll", "wmdrmsdk.dll", "wmerror.dll", "wmi.dll", "wmiclnt.dll", "wmicmiplugin.dll", "wmidcom.dll", "wmidx.dll", "wmiprop.dll", "wmitomi.dll", "wmnetmgr.dll", "wmp.dll", "wmpdui.dll", "wmpdxm.dll", "wmpeffects.dll", "wmphoto.dll", "wmploc.dll", "wmpps.dll", "wmpshell.dll", "wmsgapi.dll", "wmspdmod.dll", "wmspdmoe.dll", "wmvcore.dll", "wmvdecod.dll", "wmvdspa.dll", "wmvencod.dll", "wmvsdecd.dll", "wmvsencd.dll", "wmvxencd.dll", "woftasks.dll", "wofutil.dll", "wordbreakers.dll", "workfoldersgpext.dll", "workfoldersres.dll", "workfoldersshell.dll", "workfolderssvc.dll", "wosc.dll", "wow64.dll", "wow64cpu.dll", "wow64win.dll", "wpbcreds.dll", "wpc.dll", "wpcapi.dll", "wpcdesktopmonsvc.dll", "wpcproxystubs.dll", "wpcrefreshtask.dll", "wpcwebfilter.dll", "wpdbusenum.dll", "wpdshext.dll", "wpdshserviceobj.dll", "wpdsp.dll", "wpd_ci.dll", "wpnapps.dll", "wpnclient.dll", "wpncore.dll", "wpninprc.dll", "wpnprv.dll", "wpnservice.dll", "wpnsruprov.dll", "wpnuserservice.dll", "wpportinglibrary.dll", "wpprecorderum.dll", "wptaskscheduler.dll", "wpx.dll", "ws2help.dll", "ws2_32.dll", "wscapi.dll", "wscinterop.dll", "wscisvif.dll", "wsclient.dll", "wscproxystub.dll", "wscsvc.dll", "wsdapi.dll", "wsdchngr.dll", "wsdprintproxy.dll", "wsdproviderutil.dll", "wsdscanproxy.dll", "wsecedit.dll", "wsepno.dll", "wshbth.dll", "wshcon.dll", "wshelper.dll", "wshext.dll", "wshhyperv.dll", "wship6.dll", "wshqos.dll", "wshrm.dll", "wshtcpip.dll", "wshunix.dll", "wslapi.dll", "wsmagent.dll", "wsmauto.dll", "wsmplpxy.dll", "wsmres.dll", "wsmsvc.dll", "wsmwmipl.dll", "wsnmp32.dll", "wsock32.dll", "wsplib.dll", "wsp_fs.dll", "wsp_health.dll", "wsp_sr.dll", "wtsapi32.dll", "wuapi.dll", "wuaueng.dll", "wuceffects.dll", "wudfcoinstaller.dll", "wudfplatform.dll", "wudfsmcclassext.dll", "wudfx.dll", "wudfx02000.dll", "wudriver.dll", "wups.dll", "wups2.dll", "wuuhext.dll", "wuuhosdeployment.dll", "wvc.dll", "wwaapi.dll", "wwaext.dll", "wwanapi.dll", "wwancfg.dll", "wwanhc.dll", "wwanprotdim.dll", "wwanradiomanager.dll", "wwansvc.dll", "wwapi.dll", "xamltilerender.dll", "xaudio2_8.dll", "xaudio2_9.dll", "xblauthmanager.dll", "xblgamesave.dll", "xblgamesaveext.dll", "xblgamesaveproxy.dll", "xboxgipsvc.dll", "xboxgipsynthetic.dll", "xboxnetapisvc.dll", "xinput1_4.dll", "xinput9_1_0.dll", "xinputuap.dll", "xmlfilter.dll", "xmllite.dll", "xmlprovi.dll", "xolehlp.dll", "xpsgdiconverter.dll", "xpsprint.dll", "xpspushlayer.dll", "xpsrasterservice.dll", "xpsservices.dll", "xwizards.dll", "xwreg.dll", "xwtpdui.dll", "xwtpw32.dll", "zipcontainer.dll", "zipfldr.dll", "bootsvc.dll", "halextintcpsedma.dll", "icsvcvss.dll", "ieproxydesktop.dll", "lsaadt.dll", "nlansp_c.dll", "nrtapi.dll", "opencl.dll", "pfclient.dll", "pnpdiag.dll", "prxyqry.dll", "rdpnanotransport.dll", "servicingcommon.dll", "sortwindows63.dll", "sstpcfg.dll", "tdhres.dll", "umpodev.dll", "utcapi.dll", "windlp.dll", "wow64base.dll", "wow64con.dll", "blbuires.dll", "bpainst.dll", "cbclient.dll", "certadm.dll", "certocm.dll", "certpick.dll", "csdeployres.dll", "dsdeployres.dll", "eapa3hst.dll", "eapacfg.dll", "eapahost.dll", "elsext.dll", "encdump.dll", "escmigplugin.dll", "fsclient.dll", "fsdeployres.dll", "fssminst.dll", "fssmres.dll", "fssprov.dll", "ipamapi.dll", "kpssvc.dll", "lbfoadminlib.dll", "mintdh.dll", "mmci.dll", "mmcico.dll", "mprsnap.dll", "mstsmhst.dll", "mstsmmc.dll", "muxinst.dll", "personax.dll", "rassfm.dll", "rasuser.dll", "rdmsinst.dll", "rdmsres.dll", "rtrfiltr.dll", "sacsvr.dll", "scrdenrl.dll", "sdclient.dll", "sharedstartmodel.dll", "smsrouter.dll", "spwizimg_svr.dll", "sqlcecompact40.dll", "sqlceoledb40.dll", "sqlceqp40.dll", "sqlcese40.dll", "srvmgrinst.dll", "svrmgrnc.dll", "tapisnap.dll", "tlsbrand.dll", "tsec.dll", "tsprop.dll", "tspubiconhelper.dll", "tssdjet.dll", "tsuserex.dll", "ualapi.dll", "ualsvc.dll", "umcres.dll", "updatehandlers.dll", "usocore.dll", "vssui.dll", "wsbappres.dll", "wsbonline.dll", "wsmselpl.dll", "wsmselrr.dll", "xpsfilt.dll", "xpsshhdr.dll" ) and not ( - (dll.name : "icuuc.dll" and dll.code_signature.subject_name == "Valve" and dll.code_signature.trusted == true) or - (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or + ( + dll.name : "icuuc.dll" and dll.code_signature.subject_name in ( + "Valve", "Valve Corp.", "Avanquest Software (7270356 Canada Inc)", "Adobe Inc." + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : ("timeSync.dll", "appInfo.dll") and dll.code_signature.subject_name in ( + "VMware Inc.", "VMware, Inc." + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : "libcrypto.dll" and dll.code_signature.subject_name in ( + "NoMachine S.a.r.l.", "Bitdefender SRL", "Oculus VR, LLC" + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : "ucrtbase.dll" and dll.code_signature.subject_name in ( + "Proofpoint, Inc.", "Rapid7 LLC", "Eclipse.org Foundation, Inc.", "Amazon.com Services LLC", "Windows Phone" + ) and dll.code_signature.trusted == true + ) or + (dll.name : "ICMP.dll" and dll.code_signature.subject_name == "Paessler AG" and dll.code_signature.trusted == true) or + (dll.name : "kerberos.dll" and dll.code_signature.subject_name == "Bitdefender SRL" and dll.code_signature.trusted == true) or + (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or (dll.name : "DirectML.dll" and dll.code_signature.subject_name == "Adobe Inc." and dll.code_signature.trusted == true) or ( dll.path : ( @@ -76,9 +99,47 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.002" +name = "DLL Side-Loading" +reference = "https://attack.mitre.org/techniques/T1574/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 835f72aef..b844f7db2 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/20" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -21,7 +21,7 @@ name = "Potential Masquerading as System32 Executable" risk_score = 21 rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" severity = "low" -tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"] timestamp_override = "event.ingested" building_block_type = "default" type = "eql" @@ -63,9 +63,31 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml new file mode 100644 index 000000000..f273286ee --- /dev/null +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/09/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual +parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. +""" +references = [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Troubleshooting Pack Cabinet Execution" +risk_score = 21 +rule_id = "808291d3-e918-4a3a-86cd-73052a0c9bdc" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.action == "start" and + (process.name : "msdt.exe" or process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and + process.parent.name : ( + "firefox.exe", "chrome.exe", "msedge.exe", "explorer.exe", "brave.exe", "whale.exe", "browser.exe", + "dragon.exe", "vivaldi.exe", "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", + "winrar.exe", "winrar.exe", "7zFM.exe", "outlook.exe", "winword.exe", "excel.exe" + ) and + process.args : ( + "?:\\Users\\*", + "\\\\*", + "http*", + "ftp://*" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [[rule.threat.technique]] + name = "System Binary Proxy Execution" + id = "T1218" + reference = "https://attack.mitre.org/techniques/T1218/" + + [rule.threat.tactic] + name = "Defense Evasion" + id = "TA0005" + reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml new file mode 100644 index 000000000..8ee273efc --- /dev/null +++ b/rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/09/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse +msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. +""" +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Windows Installer with Suspicious Properties" +risk_score = 21 +rule_id = "55f07d1b-25bc-4a0f-aa0c-05323c1319d0" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence with maxspan=1m + [registry where host.os.type == "windows" and process.name : "msiexec.exe" and + ( + (registry.value : "InstallSource" and + registry.data.strings : ("?:\\Users\\*\\Temp\\Temp?_*.zip\\*", + "?:\\Users\\*\\*.7z\\*", + "?:\\Users\\*\\*.rar\\*")) or + + (registry.value : ("DisplayName", "ProductName") and registry.data.strings : "SetupTest") + )] + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "msiexec.exe" and + not process.name : "msiexec.exe" and + not (process.executable : ("?:\\Program Files (x86)\\*.exe", "?:\\Program Files\\*.exe") and process.code_signature.trusted == true)] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml index a14ffedf1..55d9a7620 100644 --- a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -18,8 +18,13 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Log Clear Capabilities" -note = """## Setup - +references = [ + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" +] +risk_score = 21 +rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -36,12 +41,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", - "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" -] -risk_score = 21 -rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" @@ -55,6 +54,9 @@ event.category:process and host.os.type:windows and "Remove-EventLog" or ("Eventing.Reader.EventLogSession" and ".ClearLog") or ("Diagnostics.EventLog" and ".Clear") + ) and + not file.path : ( + ?\:\\\\*\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1 ) ''' diff --git a/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml new file mode 100644 index 000000000..e86ebf774 --- /dev/null +++ b/rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/09/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/04" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching +directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux +to execute commands while attempting to evade detection. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potentially Suspicious Process Started via tmux or screen" +risk_score = 21 +rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.parent.name in ("screen", "tmux") and process.name : ( + "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby", + "lua*", "openssl", "telnet", "awk", "wget", "curl", "whoami", "id" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml new file mode 100644 index 000000000..a0e071a57 --- /dev/null +++ b/rules_building_block/defense_evasion_suspicious_msiexec_execution.toml @@ -0,0 +1,81 @@ +[metadata] +creation_date = "2023/09/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or +parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. +""" +references = [ + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Execution via MSIEXEC" +risk_score = 21 +rule_id = "708c9d92-22a3-4fe0-b6b9-1f861c55502d" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.action == "start" and + process.name : "msiexec.exe" and user.id : ("S-1-5-21*", "S-1-12-*") and process.parent.executable != null and + ( + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + process.args : ("?:\\Users\\*", "?:\\ProgramData\\*") and + not process.parent.executable : ("?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\explorer.exe", + "?:\\Users\\*\\Desktop\\*", + "?:\\Users\\*\\Downloads\\*", + "?:\\programdata\\*")) or + + (process.args_count == 1 and not process.parent.executable : ("?:\\Windows\\explorer.exe", "?:\\Windows\\SysWOW64\\explorer.exe")) or + + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + (process.parent.args : "Schedule" or process.parent.name : "wmiprvse.exe" or + process.parent.executable : "?:\\Users\\*\\AppData\\*" or + (process.parent.name : ("powershell.exe", "cmd.exe") and length(process.parent.command_line) >= 200))) or + + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe")) + ) and + + /* noisy pattern */ + not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and process.parent.args_count >= 2 and + process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\*\\*.msi") and + + not process.args : ("?:\\Program Files (x86)\\*", "?:\\Program Files\\*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_unsigned_bits_client.toml b/rules_building_block/defense_evasion_unsigned_bits_client.toml new file mode 100644 index 000000000..7b778e154 --- /dev/null +++ b/rules_building_block/defense_evasion_unsigned_bits_client.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/09/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS +functionality to download or upload data using the BITS service. +""" +references = [ + "https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" +] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unsigned BITS Service Client Process" +risk_score = 21 +rule_id = "9a3884d0-282d-45ea-86ce-b9c81100f026" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +library where dll.name : "Bitsproxy.dll" and process.executable != null and +not process.code_signature.trusted == true +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1197" +name = "BITS Jobs" +reference = "https://attack.mitre.org/techniques/T1197/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml index 74f784b76..c02f7114e 100644 --- a/rules_building_block/defense_evasion_unusual_process_extension.toml +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -54,6 +54,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index fb30a9900..771e1703d 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/15" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -60,6 +60,11 @@ id = "T1222" reference = "https://attack.mitre.org/techniques/T1222/" name = "File and Directory Permissions Modification" +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml similarity index 82% rename from rules/windows/discovery_files_dir_systeminfo_via_cmd.toml rename to rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index 680fcfcf0..734988914 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,12 +4,15 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. +Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows +Command Shell. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] @@ -43,14 +46,28 @@ This rule identifies commands to enumerate system information, files, and folder - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -60,9 +77,9 @@ process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\PROGRA~1\\*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" @@ -73,26 +90,25 @@ id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index 640a15c10..06080aad7 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Windows Account or Group Discovery" risk_score = 21 rule_id = "089db1af-740d-4d84-9a5b-babd6de143b0" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -52,20 +58,23 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "set" ) ) -) and not user.id : "S-1-5-18" +) and not process.parent.args: "C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\*.ps1" +and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" + [[rule.threat.technique.subtechnique]] id = "T1069.002" name = "Domain Groups" @@ -80,16 +89,17 @@ reference = "https://attack.mitre.org/techniques/T1201/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" + [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml index fc1b1cb28..69bef326d 100644 --- a/rules_building_block/discovery_generic_process_discovery.toml +++ b/rules_building_block/discovery_generic_process_discovery.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2023/09/14" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Process Discovery Using Built-in Tools" risk_score = 21 rule_id = "4982ac3e-d0ee-4818-b95d-d9522d689259" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -37,15 +43,14 @@ process where host.os.type == "windows" and event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index 8eb94c19d..75a979960 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -2,55 +2,61 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/13" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools" risk_score = 21 rule_id = "ded09d02-0137-4ccc-8005-c45e617e8d4c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and -( - ( - process.name == "reg.exe" and process.args : "query" and - not process.parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") - ) or - ( - process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and - (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and - process.args : ("*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "*Registry::*")) - ) -) and not user.id : "S-1-5-18" +host.os.type:windows and event.category:process and event.type:start and ( + (process.name.caseless:"reg.exe" and process.args:"query") or + (process.name.caseless:("powershell.exe" or "powershell_ise.exe" or "pwsh.exe") and + process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and + (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\:\:*)))) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml index 9bc90cdf6..6fcf1b7ca 100644 --- a/rules_building_block/discovery_internet_capabilities.toml +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -2,50 +2,65 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/12" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/20" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Discovery of Internet Capabilities via Built-in Tools" risk_score = 21 rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -type = "eql" -building_block_type = "default" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : ("ping.exe", "tracert.exe", "pathping.exe") and - not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*") +host.os.type:windows and event.category:process and event.type:start and +process.name.caseless:("ping.exe" or "tracert.exe" or "pathping.exe") and +not process.args:("127.0.0.1" or "0.0.0.0" or "localhost" or "1.1.1.1" or "1.2.3.4" or "::1") ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id", "process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 22574493f..1e21c42d0 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,9 +2,9 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -23,11 +23,14 @@ false_positives = [ from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Enumeration of Kernel Modules via Proc" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +risk_score = 21 +rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" +setup = """ + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. ``` Kibana --> Management --> @@ -35,26 +38,25 @@ Integrations --> Auditd Manager --> Add Auditd Manager ``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. For this detection rule to trigger, the following additional audit rules are required to be added to the integration: ``` -w /proc/ -p r -k audit_proc ``` Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 21 -rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or - process.parent.pid == 1 or process.title : "*grep*" -) +host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" ''' [[rule.threat]] @@ -69,3 +71,12 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 5e2688a6b..46db52891 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -17,11 +17,14 @@ system. from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious Modprobe File Event" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +risk_score = 21 +rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" +setup = """ + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. ``` Kibana --> @@ -31,7 +34,7 @@ Auditd Manager --> Add Auditd Manager ``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. For this detection rule to trigger, the following additional audit rules are required to be added to the integration: ``` @@ -41,20 +44,19 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 21 -rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action == "opened-file" and -file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs", - "readlink") or process.title : "*grep*" or process.parent.pid == 1 -) +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) ''' [[rule.threat]] @@ -69,3 +71,11 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 24fc90046..49c308883 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,9 +2,9 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/08/24" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -16,11 +16,14 @@ configuration files to modify kernel parameters, potentially compromising system from = "now-119m" interval = "60m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Suspicious Sysctl File Event" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +risk_score = 21 +rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" +setup = """ + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. ``` Kibana --> @@ -30,7 +33,7 @@ Auditd Manager --> Add Auditd Manager ``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. For this detection rule to trigger, the following additional audit rules are required to be added to the integration: @@ -41,17 +44,19 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 21 -rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" building_block_type = "default" query = ''' -file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and -file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and -not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt") +host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and +file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) ''' [[rule.threat]] @@ -66,3 +71,11 @@ reference = "https://attack.mitre.org/techniques/T1082/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 5e8ec5b6b..027d71212 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows", "system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/14" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Potential Network Share Discovery" risk_score = 21 rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"] type = "eql" building_block_type = "default" @@ -46,3 +46,17 @@ reference = "https://attack.mitre.org/techniques/T1135/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/windows/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml similarity index 79% rename from rules/windows/discovery_net_view.toml rename to rules_building_block/discovery_net_view.toml index f79ecd709..e606e5d26 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -4,10 +4,12 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -42,14 +44,29 @@ This rule looks for the execution of the `net` utility to enumerate servers in t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -70,9 +87,9 @@ process where host.os.type == "windows" and event.type == "start" and */ ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" @@ -83,9 +100,22 @@ id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index 26cda1b53..90aef7022 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/16" +updated_date = "2023/10/19" [rule] @@ -19,8 +19,9 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" -note = """## Setup - +risk_score = 21 +rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -37,8 +38,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -risk_score = 21 -rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" @@ -132,16 +131,25 @@ event.category:process and host.os.type:windows and "CSFalcon" or "TmPfw" or "kvoop" ) ) - ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") - and not file.path : ( - *WindowsPowerShell*Modules*.psd1 or - *WindowsPowerShell*Modules*.psm1 or - "C:\\Program Files\\Microsoft Azure AD Sync\\Extensions\\AADConnector.psm1" - ) - and not (file.path : ( - *Windows*TEMP*SDIAG* or - *WINDOWS*TEMP*SDIAG* or - *windows*TEMP*SDIAG*) and file.name : "CL_Utility.ps1") + ) and + not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + not file.path : ( + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 or + ?\:\\\\Program?Files\\\\Microsoft?Azure?AD?Sync\\\\Extensions\\\\AADConnector.psm1* or + *ServiceNow?MID?Server*agent\\\\scripts\\\\PowerShell\\\\*.psm1 or + ?\:\\\\*\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1 + ) and + not ( + file.path : ( + ?\:\\\\*\\\\TEMP\\\\SDIAG* or + ?\:\\\\TEMP\\\\SDIAG* or + ?\:\\\\Temp\\\\SDIAG* or + ?\:\\\\temp\\\\SDIAG* or + ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG* or + ?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\SDIAG* + ) and file.name : "CL_Utility.ps1" + ) ''' diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index e71108428..36899ec88 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,8 +18,9 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Password Policy Discovery Capabilities" -note = """## Setup - +risk_score = 21 +rule_id = "fe25d5bc-01fa-494a-95ff-535c29cc4c96" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -36,10 +37,8 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -risk_score = 21 -rule_id = "fe25d5bc-01fa-494a-95ff-535c29cc4c96" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" building_block_type = "default" @@ -92,3 +91,23 @@ reference = "https://attack.mitre.org/techniques/T1201/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml similarity index 95% rename from rules/windows/discovery_post_exploitation_external_ip_lookup.toml rename to rules_building_block/discovery_post_exploitation_external_ip_lookup.toml index d3d963d15..40219c503 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules_building_block/discovery_post_exploitation_external_ip_lookup.toml @@ -4,10 +4,12 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this @@ -62,7 +64,14 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -109,27 +118,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1614" name = "System Location Discovery" reference = "https://attack.mitre.org/techniques/T1614/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml similarity index 84% rename from rules/windows/discovery_remote_system_discovery_commands_windows.toml rename to rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 90c6d2c99..1454333cb 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -4,10 +4,12 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] @@ -42,14 +44,28 @@ This rule looks for the execution of the `arp` or `nbstat` utilities to enumerat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" @@ -66,9 +82,9 @@ process where host.os.type == "windows" and event.type == "start" and process.args : "group" and process.args : "/domain" and not process.args : "/add"))) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -79,9 +95,7 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules_building_block/discovery_security_software_wmic.toml similarity index 74% rename from rules/windows/discovery_security_software_wmic.toml rename to rules_building_block/discovery_security_software_wmic.toml index 8e3377602..abb504d6b 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules_building_block/discovery_security_software_wmic.toml @@ -4,7 +4,8 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/10/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] @@ -45,39 +46,66 @@ This rule looks for the execution of the `wmic` utility with arguments compatibl - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" +setup = """ + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + +""" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and - (process.name:"wmic.exe" or process.pe.original_file_name:"wmic.exe") and - process.args:"/namespace:\\\\root\\SecurityCenter2" and process.args:"Get" +(process.name : "wmic.exe" or process.pe.original_file_name : "wmic.exe") and +process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_signal_unusual_user_host.toml b/rules_building_block/discovery_signal_unusual_user_host.toml new file mode 100644 index 000000000..5c46f3400 --- /dev/null +++ b/rules_building_block/discovery_signal_unusual_user_host.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/10" +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/10" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique +host.id and user.id entries. +""" +from = "now-9m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "Unusual Discovery Activity by User" +risk_score = 21 +rule_id = "cf575427-0839-4c69-a9e6-99fde02606f3" +severity = "low" +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: Higher-Order Rule" + ] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( + "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or + "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or + "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169" or + "1d72d014-e2ab-4707-b056-9b96abe7b511" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index 9a8342266..f6d248832 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,8 +19,11 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Proc Pseudo File System Enumeration" -note = """## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +risk_score = 21 +rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" +setup = """ + +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. ``` Kibana --> @@ -30,7 +33,7 @@ Auditd Manager --> Add Auditd Manager ``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. For this detection rule to trigger, the following additional audit rules are required to be added to the integration: ``` @@ -39,21 +42,26 @@ For this detection rule to trigger, the following additional audit rules are req Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. """ -risk_score = 21 -rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" severity = "low" -tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +tags = [ + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "threshold" building_block_type = "default" query = ''' -host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and -file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and -not process.parent.pid : 1 +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( + ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status +) and not process.parent.pid : 1 ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" @@ -72,6 +80,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.threshold] field = ["host.id", "process.pid", "process.name"] value = 1 + [[rule.threshold.cardinality]] field = "file.path" value = 100 diff --git a/rules_building_block/discovery_suspicious_which_command_execution.toml b/rules_building_block/discovery_suspicious_which_command_execution.toml index b6cdb9dc9..11a5daab6 100644 --- a/rules_building_block/discovery_suspicious_which_command_execution.toml +++ b/rules_building_block/discovery_suspicious_which_command_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/30" +updated_date = "2023/09/13" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ name = "Suspicious which Enumeration" risk_score = 21 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml similarity index 75% rename from rules/windows/discovery_system_service_discovery.toml rename to rules_building_block/discovery_system_service_discovery.toml index 1e9af9b78..97efd2762 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -4,10 +4,12 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. @@ -20,14 +22,22 @@ name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or + ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and + not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe") @@ -36,6 +46,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -44,4 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml similarity index 67% rename from rules/windows/discovery_system_time_discovery.toml rename to rules_building_block/discovery_system_time_discovery.toml index a340cb45f..6ec486303 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -1,15 +1,18 @@ [metadata] -creation_date = "2023/01/17" +creation_date = "2023/01/24" integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ -Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. +Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance +phase after compromising a system. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] @@ -19,21 +22,30 @@ name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and ( - ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or + ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and + process.args : "time") or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g") -) and not user.id : "S-1-5-18" +) and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index 071b80bc8..16ce86012 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -4,16 +4,17 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/14" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" @@ -21,9 +22,14 @@ name = "Windows System Network Connections Discovery" risk_score = 21 rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" type = "eql" query = ''' @@ -43,19 +49,19 @@ process where event.type == "start" and ) and not user.id : "S-1-5-18" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index d5c4eb011..61bfa2d8c 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -4,16 +4,17 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/26" +updated_date = "2023/09/21" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" @@ -21,10 +22,15 @@ name = "Windows System Information Discovery" risk_score = 21 rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" -building_block_type = "default" query = ''' process where host.os.type == "windows" and event.type == "start" and @@ -48,6 +54,7 @@ process.parent.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" diff --git a/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml b/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml new file mode 100644 index 000000000..f07cff9f8 --- /dev/null +++ b/rules_building_block/execution_delayed_via_ping_lolbas_unsigned.toml @@ -0,0 +1,151 @@ +[metadata] +creation_date = "2023/09/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/25" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often +observed during malware installation and is consistent with an attacker attempting to evade detection. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Delayed Execution via Ping" +risk_score = 21 +rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +type = "eql" +building_block_type = "default" + +query = ''' +sequence by process.parent.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and + process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"] + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "cmd.exe" and + ( + process.name : ( + "rundll32.exe", "powershell.exe", + "mshta.exe", "msbuild.exe", + "certutil.exe", "regsvr32.exe", + "powershell.exe", "cscript.exe", + "wscript.exe", "wmic.exe", + "installutil.exe", "msxsl.exe", + "Microsoft.Workflow.Compiler.exe", + "ieexec.exe", "iexpress.exe", + "RegAsm.exe", "installutil.exe", + "RegSvcs.exe", "RegAsm.exe" + ) or + (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true) + ) and + + not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and + not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and + not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and + not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and + not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and + not (process.name : "wscript.exe" and + process.working_directory : + ("?:\\Windows\\TempInst\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\", + "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) + ] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +name = "Command and Scripting Interpreter" +id = "T1059" +reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + name = "Visual Basic" + id = "T1059.005" + reference = "https://attack.mitre.org/techniques/T1059/005/" + + [[rule.threat.technique.subtechnique]] + name = "PowerShell" + id = "T1059.001" + reference = "https://attack.mitre.org/techniques/T1059/001/" + + [rule.threat.tactic] + name = "Execution" + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + + [[rule.threat.technique.subtechnique]] + name = "Time Based Evasion" + id = "T1497.003" + reference = "https://attack.mitre.org/techniques/T1497/003/" + +[[rule.threat.technique]] +name = "System Binary Proxy Execution" +id = "T1218" +reference = "https://attack.mitre.org/techniques/T1218/" + + [[rule.threat.technique.subtechnique]] + name = "CMSTP" + id = "T1218.003" + reference = "https://attack.mitre.org/techniques/T1218/003/" + + [[rule.threat.technique.subtechnique]] + name = "InstallUtil" + id = "T1218.004" + reference = "https://attack.mitre.org/techniques/T1218/004/" + + [[rule.threat.technique.subtechnique]] + name = "Mshta" + id = "T1218.005" + reference = "https://attack.mitre.org/techniques/T1218/005/" + + [[rule.threat.technique.subtechnique]] + name = "Regsvcs/Regasm" + id = "T1218.009" + reference = "https://attack.mitre.org/techniques/T1218/009/" + + [[rule.threat.technique.subtechnique]] + name = "Regsvr32" + id = "T1218.010" + reference = "https://attack.mitre.org/techniques/T1218/010/" + + [[rule.threat.technique.subtechnique]] + name = "Rundll32" + id = "T1218.011" + reference = "https://attack.mitre.org/techniques/T1218/011/" + + [[rule.threat.technique]] + name = "System Script Proxy Execution" + id = "T1216" + reference = "https://attack.mitre.org/techniques/T1216/" + + [[rule.threat.technique]] + name = "XSL Script Processing" + id = "T1220" + reference = "https://attack.mitre.org/techniques/T1220/" + + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml new file mode 100644 index 000000000..052ee0410 --- /dev/null +++ b/rules_building_block/execution_linux_segfault.toml @@ -0,0 +1,71 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/26" +integration = ["system"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/26" + +[rule] +author = ["Elastic"] +description = """ +Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program +tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault +can be an indication of malicious behavior if it results from attempts to exploit buffer overflows or other +vulnerabilities in software to execute arbitrary code or disrupt its normal operation. +""" +from = "now-9m" +index = ["logs-system.syslog-*"] +language = "kuery" +license = "Elastic License v2" +name = "Segfault Detected" +risk_score = 21 +rule_id = "5c81fc9d-1eae-437f-ba07-268472967013" +setup = """## Setup + +This rule requires data coming in from one of the following integrations: +- Filebeat + +### Filebeat Setup + +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat for the Linux System: + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note + +- This rule requires the Filebeat System Module to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Rule Type: BBR" + ] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "query" +query = ''' +host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and message:segfault +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/execution_unix_socket_communication.toml b/rules_building_block/execution_unix_socket_communication.toml new file mode 100644 index 000000000..6e33fe6a8 --- /dev/null +++ b/rules_building_block/execution_unix_socket_communication.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2023/09/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/04" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local +Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate +privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to +evade detection. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unix Socket Connection" +risk_score = 21 +rule_id = "41284ba3-ed1a-4598-bfba-a97f75d9aba2" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and + process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or + (process.name == "socat" and + process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 6c29b7ca4..dccb42a8f 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -2,55 +2,82 @@ creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/07/14" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/09/19" +bypass_bbr_timing = true [rule] author = ["Elastic"] +building_block_type = "default" description = """ This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges. """ -from = "now-119m" -interval = "60m" +from = "now-9m" index = ["logs-endpoint.events.*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Execution of an Unsigned Service" risk_score = 21 rule_id = "56fdfcf1-ca7c-4fd9-951d-e215ee26e404" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" -building_block_type = "default" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "windows" and event.type == "start" and -( - ( - process.parent.executable : "C:\\Windows\\System32\\services.exe" and - (process.code_signature.exists == false or process.code_signature.trusted == false) - ) -) +host.os.type:windows and event.category:process and event.type:start and +process.parent.executable:"C:\\Windows\\System32\\services.exe" and +(process.code_signature.exists:false or process.code_signature.trusted:false) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.001" +name = "Invalid Code Signature" +reference = "https://attack.mitre.org/techniques/T1036/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["host.id", "process.executable", "user.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" \ No newline at end of file diff --git a/rules_building_block/initial_access_execution_from_removable_media.toml b/rules_building_block/initial_access_execution_from_removable_media.toml new file mode 100644 index 000000000..c24c3e353 --- /dev/null +++ b/rules_building_block/initial_access_execution_from_removable_media.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/09/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/27" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, +possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of +Autorun features when the media is inserted into a system and executes. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Execution from a Removable Media with Network Connection" +risk_score = 21 +rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.action == "start" and + + /* Direct Exec from USB */ + (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and + (process.code_signature.trusted == false or process.code_signature.exists == false) and + + not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")] + [network where host.os.type == "windows" and event.action == "connection_attempted"] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/initial_access_execution_remote_via_msiexec.toml b/rules_building_block/initial_access_execution_remote_via_msiexec.toml new file mode 100644 index 000000000..b923ea62e --- /dev/null +++ b/rules_building_block/initial_access_execution_remote_via_msiexec.toml @@ -0,0 +1,94 @@ +[metadata] +creation_date = "2023/09/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/28" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse +msiexec.exe to launch local or network accessible MSI files. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Remote File Execution via MSIEXEC" +risk_score = 21 +rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and + process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id + [network where host.os.type == "windows" and process.name : "msiexec.exe" and + event.action == "connection_attempted"] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and + not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\srtasks.exe", + "?:\\Windows\\SysWOW64\\srtasks.exe", + "?:\\Windows\\System32\\taskkill.exe", + "?:\\Windows\\Installer\\MSI*.tmp", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\ie4uinit.exe", + "?:\\Windows\\SysWOW64\\ie4uinit.exe", + "?:\\Windows\\System32\\sc.exe", + "?:\\Windows\\system32\\Wbem\\mofcomp.exe", + "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe", + "?:\\Windows\\SysWOW64\\taskkill.exe", + "?:\\Windows\\SysWOW64\\schtasks.exe", + "?:\\Windows\\system32\\schtasks.exe", + "?:\\Windows\\System32\\sdbinst.exe") and + not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and + not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and + process.Ext.token.integrity_level_name == "high" and + process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and + not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and + not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry") + ] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/initial_access_xsl_script_execution_via_com.toml b/rules_building_block/initial_access_xsl_script_execution_via_com.toml new file mode 100644 index 000000000..f0892a1b1 --- /dev/null +++ b/rules_building_block/initial_access_xsl_script_execution_via_com.toml @@ -0,0 +1,72 @@ +[metadata] +creation_date = "2023/09/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/27" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. +This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Remote XSL Script Execution via COM" +risk_score = 21 +rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] +building_block_type = "default" +type = "eql" + +query = ''' +sequence with maxspan=1m + [library where host.os.type == "windows" and dll.name : "msxml3.dll" and + process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and + not process.executable : + ("?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWoW64\\WerFault.exe", + "?:\\windows\\splwow64.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/lateral_movement_at.toml b/rules_building_block/lateral_movement_at.toml index d1d595fc4..404196f88 100644 --- a/rules_building_block/lateral_movement_at.toml +++ b/rules_building_block/lateral_movement_at.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/21" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -52,6 +52,11 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 3aff00994..29a91932b 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/12" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -18,8 +18,14 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Remote Execution Capabilities via WinRM" -note = """## Setup - +references = [ + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" +] +risk_score = 21 +rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" +setup = """ The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: @@ -36,15 +42,9 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -references = [ - "https://attack.mitre.org/techniques/T1021/006/", - "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", - "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" -] -risk_score = 21 -rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" + severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" building_block_type = "default" @@ -53,6 +53,14 @@ query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ("Invoke-WmiMethod" or "Invoke-Command" or "Enter-PSSession") and "ComputerName" + ) and + not user.id : "S-1-5-18" and + not file.directory : ( + "C:\\Program Files\\LogicMonitor\\Agent\\tmp" or + ?\:\\\\Program?Files\\\\Microsoft\\\\Exchange?Server\\\\*\\\\bin or + ?\:\\\\Logicmonitor\\\\tmp* or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or + ?\:\\\\ExchangeServer\\\\bin* ) ''' @@ -74,3 +82,23 @@ reference = "https://attack.mitre.org/techniques/T1021/006/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/initial_access_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml similarity index 82% rename from rules_building_block/initial_access_unusual_process_sql_accounts.toml rename to rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index 80d8aa5b7..b103390f2 100644 --- a/rules_building_block/initial_access_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/25" +updated_date = "2023/10/13" bypass_bbr_timing = true [rule] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" @@ -54,15 +54,15 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -72,6 +72,10 @@ id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.001" +name = "SQL Stored Procedures" +reference = "https://attack.mitre.org/techniques/T1505/001/" [rule.threat.tactic] id = "TA0003" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index fcdef0622..31c7f006a 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/24" +updated_date = "2023/10/09" [rule] author = ["Elastic"] @@ -42,6 +42,11 @@ id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules_building_block/persistence_kernel_driver_load.toml b/rules_building_block/persistence_kernel_driver_load.toml new file mode 100644 index 000000000..923153a86 --- /dev/null +++ b/rules_building_block/persistence_kernel_driver_load.toml @@ -0,0 +1,93 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/26" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/26" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to +load a rootkit on a system providing them with complete control and the ability to hide from security products. As other +rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap +that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "Kernel Driver Load" +risk_score = 21 +rule_id = "3e12a439-d002-4944-bc42-171c0dcb9b96" +setup = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules +-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Rule Type: BBR" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +driver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and +event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules_building_block/persistence_msoffice_startup_registry.toml b/rules_building_block/persistence_msoffice_startup_registry.toml index 456d3ffdf..74eb9aab8 100644 --- a/rules_building_block/persistence_msoffice_startup_registry.toml +++ b/rules_building_block/persistence_msoffice_startup_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/22" +updated_date = "2023/10/13" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "14dab405-5dd9-450c-8106-72951af2391f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" @@ -50,3 +50,16 @@ reference = "https://attack.mitre.org/techniques/T1137/002/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml index c34019245..3ba36c01c 100644 --- a/rules_building_block/persistence_suspicious_file_opened_through_editor.toml +++ b/rules_building_block/persistence_suspicious_file_opened_through_editor.toml @@ -3,7 +3,7 @@ creation_date = "2023/07/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/25" +updated_date = "2023/09/26" integration = ["endpoint"] [rule] @@ -20,6 +20,7 @@ interval = "60m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" +max_signals = 1 name = "Potential Suspicious File Edit" risk_score = 21 rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128" @@ -35,9 +36,9 @@ file.path : ( /* common interesting files and locations */ "/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp", "/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp", - "/etc/.hosts.swp", "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", - "/etc/ld.so.conf.d/.*.swp", "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", - "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", "/usr/lib/update-notifier/.*.swp", + "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", "/etc/ld.so.conf.d/.*.swp", + "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", + "/usr/lib/update-notifier/.*.swp", /* service, timer, want, socket and lock files */ "/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp", diff --git a/rules_building_block/persistence_tainted_kernel_module_load.toml b/rules_building_block/persistence_tainted_kernel_module_load.toml new file mode 100644 index 000000000..2a9802ebe --- /dev/null +++ b/rules_building_block/persistence_tainted_kernel_module_load.toml @@ -0,0 +1,94 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/23" +integration = ["system"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/26" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often +leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for +ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to +system vulnerabilities or unauthorized access. +""" +from = "now-9m" +index = ["logs-system.syslog-*"] +language = "kuery" +license = "Elastic License v2" +name = "Tainted Kernel Module Load" +risk_score = 21 +rule_id = "05cad2fb-200c-407f-b472-02ea8c9e5e4a" +setup = """ + +This rule requires data coming in from one of the following integrations: +- Filebeat + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat for the Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the Filebeat System Module to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). + +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Rule Type: BBR" + ] +timestamp_override = "event.ingested" +type = "query" +query = ''' +host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and +message:"module verification failed: signature and/or required key missing - tainting kernel" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +name = "Rootkit" +id = "T1014" +reference = "https://attack.mitre.org/techniques/T1014/" + diff --git a/rules_building_block/persistence_transport_agent_exchange.toml b/rules_building_block/persistence_transport_agent_exchange.toml index 1cd24b108..ed796dd59 100644 --- a/rules_building_block/persistence_transport_agent_exchange.toml +++ b/rules_building_block/persistence_transport_agent_exchange.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/14" +updated_date = "2023/10/19" [rule] author = ["Elastic"] @@ -19,7 +19,10 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Exchange Transport Agent Install Script" -note = """## Setup +risk_score = 21 +rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81" +setup = """ + The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` @@ -33,8 +36,6 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ -risk_score = 21 -rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index eaf7a86c7..d6f28d68e 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -10,24 +10,27 @@ import unittest import uuid import warnings from collections import defaultdict -from marshmallow import ValidationError from pathlib import Path import eql.ast +from marshmallow import ValidationError from semver import Version import kql from detection_rules import attack from detection_rules.beats import parse_beats_from_index -from detection_rules.integrations import load_integrations_schemas +from detection_rules.integrations import (find_latest_compatible_version, + load_integrations_manifests, + load_integrations_schemas) from detection_rules.misc import load_current_package_version from detection_rules.packaging import current_stack_version -from detection_rules.rule import (QueryRuleData, TOMLRuleContents, - load_integrations_manifests, QueryValidator) +from detection_rules.rule import (QueryRuleData, QueryValidator, + TOMLRuleContents) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.rule_validators import EQLValidator, KQLValidator from detection_rules.schemas import definitions, get_stack_schemas -from detection_rules.utils import INTEGRATION_RULE_DIR, get_path, load_etc_dump, PatchedTemplate +from detection_rules.utils import (INTEGRATION_RULE_DIR, PatchedTemplate, + get_path, load_etc_dump) from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -240,6 +243,7 @@ class TestThreatMappings(BaseRuleTest): f'Flatten to a single entry per tactic') +@unittest.skipIf(os.environ.get('DR_BYPASS_TAGS_VALIDATION') is not None, "Skipping tag validation") class TestRuleTags(BaseRuleTest): """Test tags data for rules.""" @@ -313,6 +317,7 @@ class TestRuleTags(BaseRuleTest): self.fail(error_msg) def test_primary_tactic_as_tag(self): + """Test that the primary tactic is present as a tag.""" from detection_rules.attack import tactics invalid = [] @@ -632,7 +637,8 @@ class TestRuleMetadata(BaseRuleTest): # checks if an index pattern exists if the package integration tag exists integration_string = "|".join(indices) if not re.search(rule_integration, integration_string): - if rule_integration == "windows" and re.search("winlog", integration_string): + if rule_integration == "windows" and re.search("winlog", integration_string) or \ + rule_integration in [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)]: continue err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing.' failures.append(err_msg) @@ -658,7 +664,8 @@ class TestRuleMetadata(BaseRuleTest): ] if any([re.search("|".join(non_dataset_packages), i, re.IGNORECASE) for i in rule.contents.data.index]): - if not rule.contents.metadata.integration and rule.id not in ignore_ids: + if not rule.contents.metadata.integration and rule.id not in ignore_ids and \ + rule.contents.data.type not in definitions.MACHINE_LEARNING: err_msg = f'substrings {non_dataset_packages} found in '\ f'{self.rule_str(rule)} rule index patterns are {rule.contents.data.index},' \ f'but no integration tag found' @@ -890,6 +897,48 @@ class TestIntegrationRules(BaseRuleTest): self.fail(f'The following ({len(failures)}) rules have a `min_stack_version` defined but missing comments:' f'\n{err_msg}') + def test_ml_integration_jobs_exist(self): + """Test that machine learning jobs exist in the integration.""" + failures = [] + + ml_integration_names = list(map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)) + integration_schemas = load_integrations_schemas() + integration_manifests = load_integrations_manifests() + + for rule in self.all_rules: + if rule.contents.data.type == "machine_learning": + ml_integration_name = next((i for i in rule.contents.metadata.integration + if i in ml_integration_names), None) + if ml_integration_name: + if "machine_learning_job_id" not in dir(rule.contents.data): + failures.append(f'{self.rule_str(rule)} missing `machine_learning_job_id`') + else: + rule_job_id = rule.contents.data.machine_learning_job_id + ml_schema = integration_schemas.get(ml_integration_name) + min_version = Version.parse( + rule.contents.metadata.min_stack_version or load_current_package_version(), + optional_minor_and_patch=True + ) + latest_compat_ver = find_latest_compatible_version( + package=ml_integration_name, + integration="", + rule_stack_version=min_version, + packages_manifest=integration_manifests + ) + compat_integration_schema = ml_schema[latest_compat_ver[0]] + if rule_job_id not in compat_integration_schema['jobs']: + failures.append( + f'{self.rule_str(rule)} machine_learning_job_id `{rule_job_id}` not found ' + f'in version `{latest_compat_ver[0]}` of `{ml_integration_name}` integration. ' + f'existing jobs: {compat_integration_schema["jobs"]}' + ) + + if failures: + err_msg = '\n'.join(failures) + self.fail( + f'The following ({len(failures)}) rules are missing a valid `machine_learning_job_id`:\n{err_msg}' + ) + class TestRuleTiming(BaseRuleTest): """Test rule timing and timestamps.""" @@ -1107,15 +1156,18 @@ class TestRiskScoreMismatch(BaseRuleTest): def test_rule_risk_score_severity_mismatch(self): invalid_list = [] risk_severity = { - "critical": 99, - "high": 73, - "medium": 47, - "low": 21, + "critical": (74, 100), # updated range for critical + "high": (48, 73), # updated range for high + "medium": (22, 47), # updated range for medium + "low": (0, 21), # updated range for low } for rule in self.all_rules: severity = rule.contents.data.severity risk_score = rule.contents.data.risk_score - if risk_severity[severity] != risk_score: + + # Check if the risk_score falls within the range for the severity level + min_score, max_score = risk_severity[severity] + if not min_score <= risk_score <= max_score: invalid_list.append(f'{self.rule_str(rule)} Severity: {severity}, Risk Score: {risk_score}') if invalid_list: @@ -1227,22 +1279,22 @@ class TestNoteMarkdownPlugins(BaseRuleTest): class TestAlertSuppression(BaseRuleTest): """Test rule alert suppression.""" - @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.6.0"), + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.8.0"), "Test only applicable to 8.6+ stacks for rule alert suppression feature.") def test_group_length(self): """Test to ensure the rule alert suppression group_by does not exceed 3 elements.""" for rule in self.production_rules: - if rule.contents.data.alert_suppression: + if rule.contents.data.get('alert_suppression'): group_length = len(rule.contents.data.alert_suppression.group_by) if group_length > 3: self.fail(f'{self.rule_str(rule)} has rule alert suppression with more than 3 elements.') - @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.6.0"), - "Test only applicable to 8.6+ stacks for rule alert suppression feature.") + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.8.0"), + "Test only applicable to 8.8+ stacks for rule alert suppression feature.") def test_group_field_in_schemas(self): """Test to ensure the fields are defined is in ECS/Beats/Integrations schema.""" for rule in self.production_rules: - if rule.contents.data.alert_suppression: + if rule.contents.data.get('alert_suppression'): group_by_fields = rule.contents.data.alert_suppression.group_by min_stack_version = rule.contents.metadata.get("min_stack_version") if min_stack_version is None: @@ -1268,32 +1320,100 @@ class TestAlertSuppression(BaseRuleTest): self.fail(f"{self.rule_str(rule)} alert suppression field {fld} not \ found in ECS, Beats, or non-ecs schemas") - @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.6.0"), - "Test only applicable to 8.6+ stacks for rule alert suppression feature.") - def test_stack_version(self): - """Test to ensure the stack version is 8.6+""" + +class TestNewTerms(BaseRuleTest): + """Test new term rules.""" + + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.4.0"), + "Test only applicable to 8.4+ stacks for new terms feature.") + def test_history_window_start(self): + """Test new terms history window start field.""" + for rule in self.production_rules: - if rule.contents.data.alert_suppression: - per_time = rule.contents.data.alert_suppression.get("duration", None) - min_stack_version = rule.contents.metadata.get("min_stack_version") - if min_stack_version is None: - min_stack_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) - else: - min_stack_version = Version.parse(min_stack_version) - if not per_time and min_stack_version < Version.parse("8.6.0"): - self.fail(f'{self.rule_str(rule)} has rule alert suppression but \ - min_stack is not 8.6+') - elif per_time and min_stack_version < Version.parse("8.7.0"): - self.fail(f'{self.rule_str(rule)} has rule alert suppression with \ - per time but min_stack is not 8.7+') + if rule.contents.data.type == "new_terms": + + # validate history window start field exists and is correct + assert rule.contents.data.new_terms.history_window_start, \ + "new terms field found with no history_window_start field defined" + assert rule.contents.data.new_terms.history_window_start[0].field == "history_window_start", \ + f"{rule.contents.data.new_terms.history_window_start} should be 'history_window_start'" + + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.4.0"), + "Test only applicable to 8.4+ stacks for new terms feature.") + def test_new_terms_field_exists(self): + # validate new terms and history window start fields are correct + for rule in self.production_rules: + if rule.contents.data.type == "new_terms": + assert rule.contents.data.new_terms.field == "new_terms_fields", \ + f"{rule.contents.data.new_terms.field} should be 'new_terms_fields' for new_terms rule type" + + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.4.0"), + "Test only applicable to 8.4+ stacks for new terms feature.") + def test_new_terms_fields(self): + """Test new terms fields are schema validated.""" + # ecs validation + for rule in self.production_rules: + if rule.contents.data.type == "new_terms": + meta = rule.contents.metadata + feature_min_stack = Version.parse('8.4.0') + current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) + min_stack_version = Version.parse(meta.get("min_stack_version")) if \ + meta.get("min_stack_version") else None + min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \ + current_package_version else min_stack_version + + assert min_stack_version >= feature_min_stack, \ + f"New Terms rule types only compatible with {feature_min_stack}+" + ecs_version = get_stack_schemas()[str(min_stack_version)]['ecs'] + beats_version = get_stack_schemas()[str(min_stack_version)]['beats'] + + # checks if new terms field(s) are in ecs, beats non-ecs or integration schemas + queryvalidator = QueryValidator(rule.contents.data.query) + _, _, schema = queryvalidator.get_beats_schema([], beats_version, ecs_version) + integration_manifests = load_integrations_manifests() + integration_schemas = load_integrations_schemas() + integration_tags = meta.get("integration") + if integration_tags: + for tag in integration_tags: + latest_tag_compat_ver, _ = find_latest_compatible_version( + package=tag, + integration="", + rule_stack_version=min_stack_version, + packages_manifest=integration_manifests) + if latest_tag_compat_ver: + integration_schema = integration_schemas[tag][latest_tag_compat_ver] + for policy_template in integration_schema.keys(): + schema.update(**integration_schemas[tag][latest_tag_compat_ver][policy_template]) + for new_terms_field in rule.contents.data.new_terms.value: + assert new_terms_field in schema.keys(), \ + f"{new_terms_field} not found in ECS, Beats, or non-ecs schemas" + + @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.4.0"), + "Test only applicable to 8.4+ stacks for new terms feature.") + def test_new_terms_max_limit(self): + """Test new terms max limit.""" + # validates length of new_terms to stack version - https://github.com/elastic/kibana/issues/142862 + for rule in self.production_rules: + if rule.contents.data.type == "new_terms": + meta = rule.contents.metadata + feature_min_stack = Version.parse('8.4.0') + feature_min_stack_extended_fields = Version.parse('8.6.0') + current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) + min_stack_version = Version.parse(meta.get("min_stack_version")) if \ + meta.get("min_stack_version") else None + min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \ + current_package_version else min_stack_version + if min_stack_version >= feature_min_stack and \ + min_stack_version < feature_min_stack_extended_fields: + assert len(rule.contents.data.new_terms.value) == 1, \ + f"new terms have a max limit of 1 for stack versions below {feature_min_stack_extended_fields}" @unittest.skipIf(PACKAGE_STACK_VERSION < Version.parse("8.6.0"), - "Test only applicable to 8.6+ stacks for rule alert suppression feature.") - def test_query_type(self): - """Test to ensure the query type is KQL only.""" + "Test only applicable to 8.4+ stacks for new terms feature.") + def test_new_terms_fields_unique(self): + """Test new terms fields are unique.""" + # validate fields are unique for rule in self.production_rules: - if rule.contents.data.alert_suppression: - rule_type = rule.contents.data.language - if rule_type != 'kuery': - self.fail(f'{self.rule_str(rule)} has rule alert suppression with \ - but query language is not KQL') + if rule.contents.data.type == "new_terms": + assert len(set(rule.contents.data.new_terms.value)) == len(rule.contents.data.new_terms.value), \ + f"new terms fields values are not unique - {rule.contents.data.new_terms.value}" diff --git a/tests/test_packages.py b/tests/test_packages.py index 25ea95626..ca014cbee 100644 --- a/tests/test_packages.py +++ b/tests/test_packages.py @@ -6,10 +6,15 @@ """Test that the packages are built correctly.""" import unittest import uuid +from semver import Version +from marshmallow import ValidationError from detection_rules import rule_loader +from detection_rules.schemas.registry_package import (RegistryPackageManifestV1, + RegistryPackageManifestV3) from detection_rules.packaging import PACKAGE_FILE, Package from detection_rules.rule_loader import RuleCollection + from tests.base import BaseRuleTest package_configs = Package.load_configs() @@ -91,19 +96,20 @@ class TestRegistryPackage(unittest.TestCase): @classmethod def setUpClass(cls) -> None: - from detection_rules.schemas.registry_package import RegistryPackageManifest assert 'registry_data' in package_configs, f'Missing registry_data in {PACKAGE_FILE}' cls.registry_config = package_configs['registry_data'] - RegistryPackageManifest.from_dict(cls.registry_config) + stack_version = Version.parse(cls.registry_config['conditions']['kibana.version'].strip("^"), + optional_minor_and_patch=True) + if stack_version >= Version.parse("8.12.0"): + RegistryPackageManifestV3.from_dict(cls.registry_config) + else: + RegistryPackageManifestV1.from_dict(cls.registry_config) def test_registry_package_config(self): """Test that the registry package is validating properly.""" - from marshmallow import ValidationError - from detection_rules.schemas.registry_package import RegistryPackageManifest - registry_config = self.registry_config.copy() registry_config['version'] += '7.1.1.' with self.assertRaises(ValidationError): - RegistryPackageManifest.from_dict(registry_config) + RegistryPackageManifestV1.from_dict(registry_config)