security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Small update on rule descriptions (#1508)

Browse Source
This commit is contained in:
Jonhnathan
2021-09-30 17:54:15 -03:00
committed by GitHub
parent 76a0224f60
commit 5e4a7e67df
12 changed files with 29 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
+2 -2
View File
@@ -41,8 +41,8 @@ this has the potential to uncover unknown threats or activity.
#### Possible investigation steps:
- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.
- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.
- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
### False Positive Analysis
- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent
rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
+2 -2
View File
@@ -34,8 +34,8 @@ Investigating Unusual CloudTrail Error Activity ###
Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:
- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.
- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.
- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?"""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
+2 -2
View File
@@ -33,8 +33,8 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
### Investigating an Unusual CloudTrail Event
Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.
- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
+2 -2
View File
@@ -39,8 +39,8 @@ are observed. This example rule focuses on AWS command activity where the countr
considered unusual based on previous history.
#### Possible investigation steps:
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.
- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml
+2 -2
View File
@@ -33,8 +33,8 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
### Investigating an Unusual CloudTrail Event
Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?
- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.
- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing."""
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
+11
View File
@@ -49,9 +49,20 @@ framework = "MITRE ATT&CK"
name = "Persistence"
id = "TA0003"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.007"
name = "Disable or Modify Cloud Firewall"
reference = "https://attack.mitre.org/techniques/T1562/007/"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
rules/ml/ml_auth_rare_user_logon.toml
+3 -4
View File
@@ -9,10 +9,9 @@ anomaly_threshold = 75
author = ["Elastic"]
description = """
A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of
detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive
(because the user has left the organization) that becomes active may be due to credentialed access using a compromised
account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web
application.
detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user
has left the organization) that becomes active may be due to credentialed access using a compromised account password.
Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
"""
false_positives = [
"""
rules/network/command_and_control_dns_directly_to_the_internet.toml
+1 -1
View File
@@ -9,7 +9,7 @@ description = """
This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior
for a managed network and can be indicative of malware, exfiltration, command and control, or simply
misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and
logging of DNS and it opens your network to a variety of abuses and malicious communications.
logging of DNS, and it opens your network to a variety of abuses and malicious communications.
"""
false_positives = [
"""
rules/network/command_and_control_download_rar_powershell_from_internet.toml
+1 -1
View File
@@ -8,7 +8,7 @@ author = ["Elastic"]
description = """
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be
adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
"""
false_positives = [
rules/windows/defense_evasion_whitespace_padding_in_command_line.toml
+1 -1
View File
@@ -19,7 +19,7 @@ name = "Whitespace Padding in Process Command Line"
note = """## Triage and analysis
- Analyze the command line of the process in question for evidence of malicious code execution.
- Review the ancestry and child processes spawned by the process in question for indicators of further malicious code execution."""
- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution."""
references = ["https://twitter.com/JohnLaTwC/status/1419251082736201737"]
risk_score = 47
rule_id = "e0dacebe-4311-4d50-9387-b17e89c2e7fd"
rules/windows/persistence_webshell_detection.toml
+1 -1
View File
@@ -10,7 +10,7 @@ Identifies suspicious commands executed via a web server, which may suggest a vu
"""
false_positives = [
"""
Security audits, maintenance and network administrative scripts may trigger this alert when run under web processes.
Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
""",
]
from = "now-9m"
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+1 -1
View File
@@ -15,7 +15,7 @@ language = "eql"
license = "Elastic License v2"
name = "Unusual Parent-Child Relationship"
references = [
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png",
"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png",
"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
]
risk_score = 47