From 5e4a7e67dff1cf2748086b5f50d6ba1fcf65acc3 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 30 Sep 2021 17:54:15 -0300 Subject: [PATCH] [Rule Tuning] Small update on rule descriptions (#1508) --- .../aws/ml_cloudtrail_error_message_spike.toml | 4 ++-- .../aws/ml_cloudtrail_rare_error_code.toml | 4 ++-- .../aws/ml_cloudtrail_rare_method_by_city.toml | 4 ++-- .../aws/ml_cloudtrail_rare_method_by_country.toml | 4 ++-- .../aws/ml_cloudtrail_rare_method_by_user.toml | 4 ++-- ...security_group_configuration_change_detection.toml | 11 +++++++++++ rules/ml/ml_auth_rare_user_logon.toml | 7 +++---- ...mand_and_control_dns_directly_to_the_internet.toml | 2 +- ...control_download_rar_powershell_from_internet.toml | 2 +- ...se_evasion_whitespace_padding_in_command_line.toml | 2 +- rules/windows/persistence_webshell_detection.toml | 2 +- ...e_escalation_unusual_parentchild_relationship.toml | 2 +- 12 files changed, 29 insertions(+), 19 deletions(-) diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index b0667050d..d959d2c8e 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -41,8 +41,8 @@ this has the potential to uncover unknown threats or activity. #### Possible investigation steps: - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script. - Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts. -- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. -- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? ### False Positive Analysis - This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 77fd4a2a3..df39b1184 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -34,8 +34,8 @@ Investigating Unusual CloudTrail Error Activity ### Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script. - Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts. -- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. -- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?""" +- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index b5a70f525..a64738482 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -33,8 +33,8 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ ### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: -- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? -- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? - Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index f07c93acf..b89818381 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -39,8 +39,8 @@ are observed. This example rule focuses on AWS command activity where the countr considered unusual based on previous history. #### Possible investigation steps: -- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? -- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? - Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 45c79b528..4744d2f8d 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -33,8 +33,8 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ ### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation: -- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. -- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. +- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? - Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day? - Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. - Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index bb6a071e1..1fcc2545c 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -49,9 +49,20 @@ framework = "MITRE ATT&CK" name = "Persistence" id = "TA0003" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + [[rule.threat.technique.subtechnique]] + id = "T1562.007" + name = "Disable or Modify Cloud Firewall" + reference = "https://attack.mitre.org/techniques/T1562/007/" + [rule.threat.tactic] name = "Defense Evasion" id = "TA0005" diff --git a/rules/ml/ml_auth_rare_user_logon.toml b/rules/ml/ml_auth_rare_user_logon.toml index b9d93a4a2..2f5721b52 100644 --- a/rules/ml/ml_auth_rare_user_logon.toml +++ b/rules/ml/ml_auth_rare_user_logon.toml @@ -9,10 +9,9 @@ anomaly_threshold = 75 author = ["Elastic"] description = """ A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of -detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive -(because the user has left the organization) that becomes active may be due to credentialed access using a compromised -account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web -application. +detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user +has left the organization) that becomes active may be due to credentialed access using a compromised account password. +Threat actors will sometimes also create new users as a means of persisting in a compromised web application. """ false_positives = [ """ diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index 3386d5a4f..8394d6ff3 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -9,7 +9,7 @@ description = """ This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and -logging of DNS and it opens your network to a variety of abuses and malicious communications. +logging of DNS, and it opens your network to a variety of abuses and malicious communications. """ false_positives = [ """ diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index f0ff8b77a..b1a288631 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -8,7 +8,7 @@ author = ["Elastic"] description = """ Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for -adversaries as a way to protect their more valuable tools and TTPs (tactics, techniques, and procedures). This may be +adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control. """ false_positives = [ diff --git a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml index af7798572..9855efce1 100644 --- a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml +++ b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml @@ -19,7 +19,7 @@ name = "Whitespace Padding in Process Command Line" note = """## Triage and analysis - Analyze the command line of the process in question for evidence of malicious code execution. -- Review the ancestry and child processes spawned by the process in question for indicators of further malicious code execution.""" +- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.""" references = ["https://twitter.com/JohnLaTwC/status/1419251082736201737"] risk_score = 47 rule_id = "e0dacebe-4311-4d50-9387-b17e89c2e7fd" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 51a534664..c2eb1dff0 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -10,7 +10,7 @@ Identifies suspicious commands executed via a web server, which may suggest a vu """ false_positives = [ """ - Security audits, maintenance and network administrative scripts may trigger this alert when run under web processes. + Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes. """, ] from = "now-9m" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index bc091a645..ff195838a 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -15,7 +15,7 @@ language = "eql" license = "Elastic License v2" name = "Unusual Parent-Child Relationship" references = [ - "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png", + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", ] risk_score = 47