From 5fcece84160e2e5ecadef8ba4989445abbe523fc Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Mon, 29 Jun 2020 22:57:00 -0600 Subject: [PATCH] Populate rules/ directory. Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-Authored-By: Craig Chamberlain Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com> Co-Authored-By: Derek Ditch Co-Authored-By: Justin Ibarra --- rules/apm/apm_403_response_to_a_post.toml | 34 ++++++++ .../apm_405_response_method_not_allowed.toml | 34 ++++++++ rules/apm/apm_null_user_agent.toml | 46 +++++++++++ rules/apm/apm_sqlmap_user_agent.toml | 34 ++++++++ ...collection_cloudtrail_logging_created.toml | 50 ++++++++++++ ...ial_access_iam_user_addition_to_group.toml | 60 ++++++++++++++ ...se_evasion_cloudtrail_logging_deleted.toml | 50 ++++++++++++ ..._evasion_cloudtrail_logging_suspended.toml | 54 +++++++++++++ ...nse_evasion_cloudwatch_alarm_deletion.toml | 50 ++++++++++++ ...vasion_configuration_recorder_stopped.toml | 50 ++++++++++++ ...defense_evasion_ec2_flow_log_deletion.toml | 53 ++++++++++++ ...ense_evasion_ec2_network_acl_deletion.toml | 55 +++++++++++++ ...e_evasion_guardduty_detector_deletion.toml | 53 ++++++++++++ ...sion_s3_bucket_configuration_deletion.toml | 53 ++++++++++++ .../aws/defense_evasion_waf_acl_deletion.toml | 50 ++++++++++++ ...fense_evasion_waf_rule_group_deletion.toml | 50 ++++++++++++ .../impact_cloudtrail_logging_updated.toml | 62 ++++++++++++++ .../impact_cloudwatch_log_group_deletion.toml | 65 +++++++++++++++ ...impact_cloudwatch_log_stream_deletion.toml | 65 +++++++++++++++ .../impact_ec2_disable_ebs_encryption.toml | 54 +++++++++++++ .../aws/impact_iam_deactivate_mfa_device.toml | 54 +++++++++++++ rules/aws/impact_iam_group_deletion.toml | 53 ++++++++++++ rules/aws/impact_rds_cluster_deletion.toml | 55 +++++++++++++ .../impact_rds_instance_cluster_stoppage.toml | 52 ++++++++++++ .../initial_access_console_login_root.toml | 60 ++++++++++++++ .../persistence_ec2_network_acl_creation.toml | 55 +++++++++++++ rules/aws/persistence_iam_group_creation.toml | 53 ++++++++++++ .../aws/persistence_rds_cluster_creation.toml | 67 +++++++++++++++ .../endpoint_adversary_behavior_detected.toml | 28 +++++++ .../endpoint_cred_dumping_detected.toml | 28 +++++++ .../endpoint_cred_dumping_prevented.toml | 28 +++++++ .../endpoint_cred_manipulation_detected.toml | 28 +++++++ .../endpoint_cred_manipulation_prevented.toml | 28 +++++++ rules/endpoint/endpoint_exploit_detected.toml | 28 +++++++ .../endpoint/endpoint_exploit_prevented.toml | 28 +++++++ rules/endpoint/endpoint_malware_detected.toml | 28 +++++++ .../endpoint/endpoint_malware_prevented.toml | 28 +++++++ .../endpoint_permission_theft_detected.toml | 28 +++++++ .../endpoint_permission_theft_prevented.toml | 28 +++++++ .../endpoint_process_injection_detected.toml | 28 +++++++ .../endpoint_process_injection_prevented.toml | 28 +++++++ .../endpoint_ransomware_detected.toml | 28 +++++++ .../endpoint_ransomware_prevented.toml | 28 +++++++ .../credential_access_tcpdump_activity.toml | 59 ++++++++++++++ ...tempt_to_disable_iptables_or_firewall.toml | 40 +++++++++ ...ion_attempt_to_disable_syslog_service.toml | 40 +++++++++ ..._base32_encoding_or_decoding_activity.toml | 55 +++++++++++++ ..._base64_encoding_or_decoding_activity.toml | 55 +++++++++++++ ...deletion_of_bash_command_line_history.toml | 40 +++++++++ ...fense_evasion_disable_selinux_attempt.toml | 41 ++++++++++ ...fense_evasion_file_deletion_via_shred.toml | 41 ++++++++++ ...defense_evasion_file_mod_writable_dir.toml | 46 +++++++++++ ...ion_hex_encoding_or_decoding_activity.toml | 55 +++++++++++++ .../defense_evasion_hidden_file_dir_tmp.toml | 60 ++++++++++++++ ...defense_evasion_kernel_module_removal.toml | 60 ++++++++++++++ .../discovery_kernel_module_enumeration.toml | 47 +++++++++++ ...covery_virtual_machine_fingerprinting.toml | 47 +++++++++++ rules/linux/discovery_whoami_commmand.toml | 46 +++++++++++ rules/linux/execution_perl_tty_shell.toml | 40 +++++++++ rules/linux/execution_python_tty_shell.toml | 40 +++++++++ ...ment_telnet_network_activity_external.toml | 48 +++++++++++ ...ment_telnet_network_activity_internal.toml | 48 +++++++++++ rules/linux/linux_hping_activity.toml | 33 ++++++++ rules/linux/linux_iodine_activity.toml | 33 ++++++++ rules/linux/linux_mknod_activity.toml | 33 ++++++++ .../linux_netcat_network_connection.toml | 39 +++++++++ rules/linux/linux_nmap_activity.toml | 35 ++++++++ rules/linux/linux_nping_activity.toml | 33 ++++++++ ...nux_process_started_in_temp_directory.toml | 29 +++++++ rules/linux/linux_socat_activity.toml | 34 ++++++++ rules/linux/linux_strace_activity.toml | 33 ++++++++ .../persistence_kernel_module_activity.toml | 46 +++++++++++ ...sistence_shell_activity_by_web_server.toml | 44 ++++++++++ ...e_escalation_setgid_bit_set_via_chmod.toml | 55 +++++++++++++ ...e_escalation_setuid_bit_set_via_chmod.toml | 55 +++++++++++++ ...privilege_escalation_sudoers_file_mod.toml | 40 +++++++++ .../ml_linux_anomalous_network_activity.toml | 36 +++++++++ ...linux_anomalous_network_port_activity.toml | 27 +++++++ .../ml_linux_anomalous_network_service.toml | 26 ++++++ ..._linux_anomalous_network_url_activity.toml | 34 ++++++++ .../ml_linux_anomalous_process_all_hosts.toml | 37 +++++++++ rules/ml/ml_linux_anomalous_user_name.toml | 42 ++++++++++ rules/ml/ml_packetbeat_dns_tunneling.toml | 33 ++++++++ rules/ml/ml_packetbeat_rare_dns_question.toml | 36 +++++++++ .../ml/ml_packetbeat_rare_server_domain.toml | 36 +++++++++ rules/ml/ml_packetbeat_rare_urls.toml | 39 +++++++++ rules/ml/ml_packetbeat_rare_user_agent.toml | 37 +++++++++ rules/ml/ml_rare_process_by_host_linux.toml | 37 +++++++++ rules/ml/ml_rare_process_by_host_windows.toml | 40 +++++++++ rules/ml/ml_suspicious_login_activity.toml | 28 +++++++ ...ml_windows_anomalous_network_activity.toml | 38 +++++++++ .../ml_windows_anomalous_path_activity.toml | 34 ++++++++ ...l_windows_anomalous_process_all_hosts.toml | 40 +++++++++ ...ml_windows_anomalous_process_creation.toml | 36 +++++++++ rules/ml/ml_windows_anomalous_script.toml | 31 +++++++ rules/ml/ml_windows_anomalous_service.toml | 32 ++++++++ rules/ml/ml_windows_anomalous_user_name.toml | 43 ++++++++++ .../ml/ml_windows_rare_user_runas_event.toml | 32 ++++++++ ...windows_rare_user_type10_remote_login.toml | 36 +++++++++ ..._control_dns_directly_to_the_internet.toml | 57 +++++++++++++ ...fer_protocol_activity_to_the_internet.toml | 66 +++++++++++++++ ...hat_protocol_activity_to_the_internet.toml | 65 +++++++++++++++ ...d_control_nat_traversal_port_activity.toml | 50 ++++++++++++ .../command_and_control_port_26_activity.toml | 63 +++++++++++++++ ...ol_port_8000_activity_to_the_internet.toml | 52 ++++++++++++ ..._to_point_tunneling_protocol_activity.toml | 49 +++++++++++ ...l_proxy_port_activity_to_the_internet.toml | 55 +++++++++++++ ...te_desktop_protocol_from_the_internet.toml | 78 ++++++++++++++++++ ...mand_and_control_smtp_to_the_internet.toml | 62 ++++++++++++++ ..._server_port_activity_to_the_internet.toml | 51 ++++++++++++ ...ol_ssh_secure_shell_from_the_internet.toml | 78 ++++++++++++++++++ ...trol_ssh_secure_shell_to_the_internet.toml | 53 ++++++++++++ ...mand_and_control_telnet_port_activity.toml | 75 +++++++++++++++++ ..._control_tor_activity_to_the_internet.toml | 63 +++++++++++++++ ...l_network_computing_from_the_internet.toml | 64 +++++++++++++++ ...ual_network_computing_to_the_internet.toml | 52 ++++++++++++ ...mote_desktop_protocol_to_the_internet.toml | 65 +++++++++++++++ ...mote_procedure_call_from_the_internet.toml | 44 ++++++++++ ...remote_procedure_call_to_the_internet.toml | 44 ++++++++++ ...file_sharing_activity_to_the_internet.toml | 56 +++++++++++++ ...l_access_attempted_bypass_of_okta_mfa.toml | 44 ++++++++++ ...pact_attempt_to_revoke_okta_api_token.toml | 50 ++++++++++++ .../okta/impact_possible_okta_dos_attack.toml | 49 +++++++++++ ...icious_activity_reported_by_okta_user.toml | 81 +++++++++++++++++++ ...a_attempt_to_deactivate_okta_mfa_rule.toml | 36 +++++++++ .../okta_attempt_to_delete_okta_policy.toml | 37 +++++++++ .../okta_attempt_to_modify_okta_mfa_rule.toml | 36 +++++++++ ...a_attempt_to_modify_okta_network_zone.toml | 37 +++++++++ .../okta_attempt_to_modify_okta_policy.toml | 37 +++++++++ ...threat_detected_by_okta_threatinsight.toml | 31 +++++++ ...tor_privileges_assigned_to_okta_group.toml | 50 ++++++++++++ ...ence_attempt_to_create_okta_api_token.toml | 51 ++++++++++++ ..._deactivate_mfa_for_okta_user_account.toml | 50 ++++++++++++ ...nce_attempt_to_deactivate_okta_policy.toml | 51 ++++++++++++ ...set_mfa_factors_for_okta_user_account.toml | 50 ++++++++++++ ...d_control_certutil_network_connection.toml | 40 +++++++++ ...ial_access_credential_dumping_msbuild.toml | 42 ++++++++++ ...den_file_attribute_with_via_attribexe.toml | 49 +++++++++++ ...e_evasion_clearing_windows_event_logs.toml | 40 +++++++++ .../defense_evasion_cve_2020_0601.toml | 41 ++++++++++ ...delete_volume_usn_journal_with_fsutil.toml | 40 +++++++++ ...deleting_backup_catalogs_with_wbadmin.toml | 40 +++++++++ ...ble_windows_firewall_rules_with_netsh.toml | 40 +++++++++ ...coding_or_decoding_files_via_certutil.toml | 41 ++++++++++ ...ecution_msbuild_started_by_office_app.toml | 62 ++++++++++++++ ...n_execution_msbuild_started_by_script.toml | 54 +++++++++++++ ...ion_msbuild_started_by_system_process.toml | 54 +++++++++++++ ...ion_execution_msbuild_started_renamed.toml | 43 ++++++++++ ...cution_msbuild_started_unusal_process.toml | 47 +++++++++++ ...ution_via_trusted_developer_utilities.toml | 50 ++++++++++++ .../defense_evasion_injection_msbuild.toml | 53 ++++++++++++ ...isc_lolbin_connecting_to_the_internet.toml | 53 ++++++++++++ ...e_evasion_modification_of_boot_config.toml | 40 +++++++++ .../defense_evasion_via_filter_manager.toml | 40 +++++++++ ...ume_shadow_copy_deletion_via_vssadmin.toml | 40 +++++++++ ..._volume_shadow_copy_deletion_via_wmic.toml | 40 +++++++++ .../discovery_net_command_system_account.toml | 40 +++++++++ ...rocess_discovery_via_tasklist_command.toml | 44 ++++++++++ .../discovery_whoami_command_activity.toml | 46 +++++++++++ ...and_prompt_connecting_to_the_internet.toml | 58 +++++++++++++ ...n_command_shell_started_by_powershell.toml | 49 +++++++++++ ...tion_command_shell_started_by_svchost.toml | 37 +++++++++ ...le_program_connecting_to_the_internet.toml | 53 ++++++++++++ .../execution_local_service_commands.toml | 40 +++++++++ ...on_msbuild_making_network_connections.toml | 40 +++++++++ ...tion_mshta_making_network_connections.toml | 41 ++++++++++ rules/windows/execution_msxsl_network.toml | 40 +++++++++ ...ution_psexec_lateral_movement_command.toml | 58 +++++++++++++ ...er_program_connecting_to_the_internet.toml | 58 +++++++++++++ ...execution_script_executing_powershell.toml | 40 +++++++++ ...on_suspicious_ms_office_child_process.toml | 41 ++++++++++ ...n_suspicious_ms_outlook_child_process.toml | 40 +++++++++ .../execution_suspicious_pdf_reader.toml | 40 +++++++++ ...usual_network_connection_via_rundll32.toml | 40 +++++++++ ...on_unusual_process_network_connection.toml | 40 +++++++++ .../execution_via_compiled_html_file.toml | 60 ++++++++++++++ .../execution_via_net_com_assemblies.toml | 53 ++++++++++++ ...vement_direct_outbound_smb_connection.toml | 42 ++++++++++ .../persistence_adobe_hijack_persistence.toml | 37 +++++++++ ...istence_local_scheduled_task_commands.toml | 38 +++++++++ ...escalation_via_accessibility_features.toml | 53 ++++++++++++ ...ersistence_system_shells_via_services.toml | 40 +++++++++ .../persistence_user_account_creation.toml | 40 +++++++++ .../persistence_via_application_shimming.toml | 53 ++++++++++++ ...ge_escalation_uac_bypass_event_viewer.toml | 40 +++++++++ ...tion_unusual_parentchild_relationship.toml | 40 +++++++++ 186 files changed, 8373 insertions(+) create mode 100644 rules/apm/apm_403_response_to_a_post.toml create mode 100644 rules/apm/apm_405_response_method_not_allowed.toml create mode 100644 rules/apm/apm_null_user_agent.toml create mode 100644 rules/apm/apm_sqlmap_user_agent.toml create mode 100644 rules/aws/collection_cloudtrail_logging_created.toml create mode 100644 rules/aws/credential_access_iam_user_addition_to_group.toml create mode 100644 rules/aws/defense_evasion_cloudtrail_logging_deleted.toml create mode 100644 rules/aws/defense_evasion_cloudtrail_logging_suspended.toml create mode 100644 rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml create mode 100644 rules/aws/defense_evasion_configuration_recorder_stopped.toml create mode 100644 rules/aws/defense_evasion_ec2_flow_log_deletion.toml create mode 100644 rules/aws/defense_evasion_ec2_network_acl_deletion.toml create mode 100644 rules/aws/defense_evasion_guardduty_detector_deletion.toml create mode 100644 rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml create mode 100644 rules/aws/defense_evasion_waf_acl_deletion.toml create mode 100644 rules/aws/defense_evasion_waf_rule_group_deletion.toml create mode 100644 rules/aws/impact_cloudtrail_logging_updated.toml create mode 100644 rules/aws/impact_cloudwatch_log_group_deletion.toml create mode 100644 rules/aws/impact_cloudwatch_log_stream_deletion.toml create mode 100644 rules/aws/impact_ec2_disable_ebs_encryption.toml create mode 100644 rules/aws/impact_iam_deactivate_mfa_device.toml create mode 100644 rules/aws/impact_iam_group_deletion.toml create mode 100644 rules/aws/impact_rds_cluster_deletion.toml create mode 100644 rules/aws/impact_rds_instance_cluster_stoppage.toml create mode 100644 rules/aws/initial_access_console_login_root.toml create mode 100644 rules/aws/persistence_ec2_network_acl_creation.toml create mode 100644 rules/aws/persistence_iam_group_creation.toml create mode 100644 rules/aws/persistence_rds_cluster_creation.toml create mode 100644 rules/endpoint/endpoint_adversary_behavior_detected.toml create mode 100644 rules/endpoint/endpoint_cred_dumping_detected.toml create mode 100644 rules/endpoint/endpoint_cred_dumping_prevented.toml create mode 100644 rules/endpoint/endpoint_cred_manipulation_detected.toml create mode 100644 rules/endpoint/endpoint_cred_manipulation_prevented.toml create mode 100644 rules/endpoint/endpoint_exploit_detected.toml create mode 100644 rules/endpoint/endpoint_exploit_prevented.toml create mode 100644 rules/endpoint/endpoint_malware_detected.toml create mode 100644 rules/endpoint/endpoint_malware_prevented.toml create mode 100644 rules/endpoint/endpoint_permission_theft_detected.toml create mode 100644 rules/endpoint/endpoint_permission_theft_prevented.toml create mode 100644 rules/endpoint/endpoint_process_injection_detected.toml create mode 100644 rules/endpoint/endpoint_process_injection_prevented.toml create mode 100644 rules/endpoint/endpoint_ransomware_detected.toml create mode 100644 rules/endpoint/endpoint_ransomware_prevented.toml create mode 100644 rules/linux/credential_access_tcpdump_activity.toml create mode 100644 rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml create mode 100644 rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml create mode 100644 rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml create mode 100644 rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml create mode 100644 rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml create mode 100644 rules/linux/defense_evasion_disable_selinux_attempt.toml create mode 100644 rules/linux/defense_evasion_file_deletion_via_shred.toml create mode 100644 rules/linux/defense_evasion_file_mod_writable_dir.toml create mode 100644 rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml create mode 100644 rules/linux/defense_evasion_hidden_file_dir_tmp.toml create mode 100644 rules/linux/defense_evasion_kernel_module_removal.toml create mode 100644 rules/linux/discovery_kernel_module_enumeration.toml create mode 100644 rules/linux/discovery_virtual_machine_fingerprinting.toml create mode 100644 rules/linux/discovery_whoami_commmand.toml create mode 100644 rules/linux/execution_perl_tty_shell.toml create mode 100644 rules/linux/execution_python_tty_shell.toml create mode 100644 rules/linux/lateral_movement_telnet_network_activity_external.toml create mode 100644 rules/linux/lateral_movement_telnet_network_activity_internal.toml create mode 100644 rules/linux/linux_hping_activity.toml create mode 100644 rules/linux/linux_iodine_activity.toml create mode 100644 rules/linux/linux_mknod_activity.toml create mode 100644 rules/linux/linux_netcat_network_connection.toml create mode 100644 rules/linux/linux_nmap_activity.toml create mode 100644 rules/linux/linux_nping_activity.toml create mode 100644 rules/linux/linux_process_started_in_temp_directory.toml create mode 100644 rules/linux/linux_socat_activity.toml create mode 100644 rules/linux/linux_strace_activity.toml create mode 100644 rules/linux/persistence_kernel_module_activity.toml create mode 100644 rules/linux/persistence_shell_activity_by_web_server.toml create mode 100644 rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml create mode 100644 rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml create mode 100644 rules/linux/privilege_escalation_sudoers_file_mod.toml create mode 100644 rules/ml/ml_linux_anomalous_network_activity.toml create mode 100644 rules/ml/ml_linux_anomalous_network_port_activity.toml create mode 100644 rules/ml/ml_linux_anomalous_network_service.toml create mode 100644 rules/ml/ml_linux_anomalous_network_url_activity.toml create mode 100644 rules/ml/ml_linux_anomalous_process_all_hosts.toml create mode 100644 rules/ml/ml_linux_anomalous_user_name.toml create mode 100644 rules/ml/ml_packetbeat_dns_tunneling.toml create mode 100644 rules/ml/ml_packetbeat_rare_dns_question.toml create mode 100644 rules/ml/ml_packetbeat_rare_server_domain.toml create mode 100644 rules/ml/ml_packetbeat_rare_urls.toml create mode 100644 rules/ml/ml_packetbeat_rare_user_agent.toml create mode 100644 rules/ml/ml_rare_process_by_host_linux.toml create mode 100644 rules/ml/ml_rare_process_by_host_windows.toml create mode 100644 rules/ml/ml_suspicious_login_activity.toml create mode 100644 rules/ml/ml_windows_anomalous_network_activity.toml create mode 100644 rules/ml/ml_windows_anomalous_path_activity.toml create mode 100644 rules/ml/ml_windows_anomalous_process_all_hosts.toml create mode 100644 rules/ml/ml_windows_anomalous_process_creation.toml create mode 100644 rules/ml/ml_windows_anomalous_script.toml create mode 100644 rules/ml/ml_windows_anomalous_service.toml create mode 100644 rules/ml/ml_windows_anomalous_user_name.toml create mode 100644 rules/ml/ml_windows_rare_user_runas_event.toml create mode 100644 rules/ml/ml_windows_rare_user_type10_remote_login.toml create mode 100644 rules/network/command_and_control_dns_directly_to_the_internet.toml create mode 100644 rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_nat_traversal_port_activity.toml create mode 100644 rules/network/command_and_control_port_26_activity.toml create mode 100644 rules/network/command_and_control_port_8000_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml create mode 100644 rules/network/command_and_control_proxy_port_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml create mode 100644 rules/network/command_and_control_smtp_to_the_internet.toml create mode 100644 rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml create mode 100644 rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml create mode 100644 rules/network/command_and_control_telnet_port_activity.toml create mode 100644 rules/network/command_and_control_tor_activity_to_the_internet.toml create mode 100644 rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml create mode 100644 rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml create mode 100644 rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml create mode 100644 rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml create mode 100644 rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml create mode 100644 rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml create mode 100644 rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml create mode 100644 rules/okta/impact_attempt_to_revoke_okta_api_token.toml create mode 100644 rules/okta/impact_possible_okta_dos_attack.toml create mode 100644 rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml create mode 100644 rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml create mode 100644 rules/okta/okta_attempt_to_delete_okta_policy.toml create mode 100644 rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml create mode 100644 rules/okta/okta_attempt_to_modify_okta_network_zone.toml create mode 100644 rules/okta/okta_attempt_to_modify_okta_policy.toml create mode 100644 rules/okta/okta_threat_detected_by_okta_threatinsight.toml create mode 100644 rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml create mode 100644 rules/okta/persistence_attempt_to_create_okta_api_token.toml create mode 100644 rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml create mode 100644 rules/okta/persistence_attempt_to_deactivate_okta_policy.toml create mode 100644 rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml create mode 100644 rules/windows/command_and_control_certutil_network_connection.toml create mode 100755 rules/windows/credential_access_credential_dumping_msbuild.toml create mode 100644 rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml create mode 100644 rules/windows/defense_evasion_clearing_windows_event_logs.toml create mode 100644 rules/windows/defense_evasion_cve_2020_0601.toml create mode 100644 rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml create mode 100644 rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml create mode 100644 rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml create mode 100644 rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml create mode 100755 rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml create mode 100755 rules/windows/defense_evasion_execution_msbuild_started_by_script.toml create mode 100755 rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml create mode 100755 rules/windows/defense_evasion_execution_msbuild_started_renamed.toml create mode 100755 rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml create mode 100644 rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml create mode 100755 rules/windows/defense_evasion_injection_msbuild.toml create mode 100644 rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml create mode 100644 rules/windows/defense_evasion_modification_of_boot_config.toml create mode 100644 rules/windows/defense_evasion_via_filter_manager.toml create mode 100644 rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml create mode 100644 rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml create mode 100644 rules/windows/discovery_net_command_system_account.toml create mode 100644 rules/windows/discovery_process_discovery_via_tasklist_command.toml create mode 100644 rules/windows/discovery_whoami_command_activity.toml create mode 100644 rules/windows/execution_command_prompt_connecting_to_the_internet.toml create mode 100644 rules/windows/execution_command_shell_started_by_powershell.toml create mode 100644 rules/windows/execution_command_shell_started_by_svchost.toml create mode 100644 rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml create mode 100644 rules/windows/execution_local_service_commands.toml create mode 100644 rules/windows/execution_msbuild_making_network_connections.toml create mode 100644 rules/windows/execution_mshta_making_network_connections.toml create mode 100644 rules/windows/execution_msxsl_network.toml create mode 100644 rules/windows/execution_psexec_lateral_movement_command.toml create mode 100644 rules/windows/execution_register_server_program_connecting_to_the_internet.toml create mode 100644 rules/windows/execution_script_executing_powershell.toml create mode 100644 rules/windows/execution_suspicious_ms_office_child_process.toml create mode 100644 rules/windows/execution_suspicious_ms_outlook_child_process.toml create mode 100644 rules/windows/execution_suspicious_pdf_reader.toml create mode 100644 rules/windows/execution_unusual_network_connection_via_rundll32.toml create mode 100644 rules/windows/execution_unusual_process_network_connection.toml create mode 100644 rules/windows/execution_via_compiled_html_file.toml create mode 100644 rules/windows/execution_via_net_com_assemblies.toml create mode 100644 rules/windows/lateral_movement_direct_outbound_smb_connection.toml create mode 100644 rules/windows/persistence_adobe_hijack_persistence.toml create mode 100644 rules/windows/persistence_local_scheduled_task_commands.toml create mode 100644 rules/windows/persistence_priv_escalation_via_accessibility_features.toml create mode 100644 rules/windows/persistence_system_shells_via_services.toml create mode 100644 rules/windows/persistence_user_account_creation.toml create mode 100644 rules/windows/persistence_via_application_shimming.toml create mode 100644 rules/windows/privilege_escalation_uac_bypass_event_viewer.toml create mode 100644 rules/windows/privilege_escalation_unusual_parentchild_relationship.toml diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml new file mode 100644 index 000000000..310f566e6 --- /dev/null +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +A POST request to web application returned a 403 response, which indicates the web application declined to process the +request because the action requested was not allowed +""" +false_positives = [ + """ + Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers + of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate + suspicious or malicious activity. + """, +] +index = ["apm-*-transaction*"] +language = "kuery" +license = "Elastic License" +name = "Web Application Suspicious Activity: POST Request Declined" +references = ["https://en.wikipedia.org/wiki/HTTP_403"] +risk_score = 47 +rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e" +severity = "medium" +tags = ["APM", "Elastic"] +type = "query" + +query = ''' +http.response.status_code:403 and http.request.method:post +''' + diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml new file mode 100644 index 000000000..07b79c12e --- /dev/null +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +A request to web application returned a 405 response which indicates the web application declined to process the request +because the HTTP method is not allowed for the resource +""" +false_positives = [ + """ + Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers + of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate + suspicious or malicious activity. + """, +] +index = ["apm-*-transaction*"] +language = "kuery" +license = "Elastic License" +name = "Web Application Suspicious Activity: Unauthorized Method" +references = ["https://en.wikipedia.org/wiki/HTTP_405"] +risk_score = 47 +rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef" +severity = "medium" +tags = ["APM", "Elastic"] +type = "query" + +query = ''' +http.response.status_code:405 +''' + diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml new file mode 100644 index 000000000..2df5bae6d --- /dev/null +++ b/rules/apm/apm_null_user_agent.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "A request to a web application server contained no identifying user agent string." +false_positives = [ + """ + Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet + contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is + unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity. + """, +] +index = ["apm-*-transaction*"] +language = "kuery" +license = "Elastic License" +name = "Web Application Suspicious Activity: No User Agent" +references = ["https://en.wikipedia.org/wiki/User_agent"] +risk_score = 47 +rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d" +severity = "medium" +tags = ["APM", "Elastic"] +type = "query" + +query = ''' +url.path:* +''' + + +[[rule.filters]] + +[rule.filters."$state"] +store = "appState" +[rule.filters.exists] +field = "user_agent.original" +[rule.filters.meta] +disabled = false +indexRefName = "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" +key = "user_agent.original" +negate = true +type = "exists" +value = "exists" + diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml new file mode 100644 index 000000000..042ef7051 --- /dev/null +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap +1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. +""" +false_positives = [ + """ + This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security + scans and tests may result in these errors. If the source is not an authorized security tester, this is generally + suspicious or malicious activity. + """, +] +index = ["apm-*-transaction*"] +language = "kuery" +license = "Elastic License" +name = "Web Application Suspicious Activity: sqlmap User Agent" +references = ["http://sqlmap.org/"] +risk_score = 47 +rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820" +severity = "medium" +tags = ["APM", "Elastic"] +type = "query" + +query = ''' +user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" +''' + diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml new file mode 100644 index 000000000..0d5b08070 --- /dev/null +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/06/10" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/10" + +[rule] +author = ["Elastic"] +description = "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data." +false_positives = [ + """ + Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudTrail Log Created" +references = [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html", +] +risk_score = 21 +rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:CreateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage Object" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml new file mode 100644 index 000000000..2f03a2c47 --- /dev/null +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/06/04" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/04" + +[rule] +author = ["Elastic"] +description = "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM)." +false_positives = [ + """ + Adding users to a specified group may be done by a system or network administrator. Verify whether the user + identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the + rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS IAM User Addition to Group" +references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] +risk_score = 21 +rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:AddUserToGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml new file mode 100644 index 000000000..d43d57521 --- /dev/null +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/26" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/26" + +[rule] +author = ["Elastic"] +description = "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses." +false_positives = [ + """ + Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudTrail Log Deleted" +references = [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html", +] +risk_score = 47 +rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml new file mode 100644 index 000000000..41dccb571 --- /dev/null +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/06/10" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/10" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may +suspend trails in an attempt to evade defenses. +""" +false_positives = [ + """ + Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user + identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from + unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted + from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudTrail Log Suspended" +references = [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html", +] +risk_score = 47 +rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:StopLogging and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml new file mode 100644 index 000000000..3b207af25 --- /dev/null +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/06/15" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/15" + +[rule] +author = ["Elastic"] +description = "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses." +false_positives = [ + """ + Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm + deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it + can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudWatch Alarm Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", + "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html", +] +risk_score = 47 +rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteAlarms and event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml new file mode 100644 index 000000000..55135ed3b --- /dev/null +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/06/16" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/16" + +[rule] +author = ["Elastic"] +description = "Identifies an AWS configuration change to stop recording a designated set of resources." +false_positives = [ + """ + Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false + positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS Configuration Recorder Stopped" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", + "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html", +] +risk_score = 73 +rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435" +severity = "high" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:StopConfigurationRecorder and event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml new file mode 100644 index 000000000..6c367e599 --- /dev/null +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/06/15" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs +in an attempt to evade defenses. +""" +false_positives = [ + """ + Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log + deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it + can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS EC2 Flow Log Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html", +] +risk_score = 73 +rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" +severity = "high" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteFlowLogs and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml new file mode 100644 index 000000000..71ecbaca0 --- /dev/null +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/05/26" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its +ingress/egress entries. +""" +false_positives = [ + """ + Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS EC2 Network Access Control List Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html", +] +risk_score = 47 +rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml new file mode 100644 index 000000000..7540e5a89 --- /dev/null +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/05/28" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/28" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and +all existing findings are lost. +""" +false_positives = [ + """ + The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS GuardDuty Detector Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", + "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html", +] +risk_score = 73 +rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef" +severity = "high" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml new file mode 100644 index 000000000..97a37cb62 --- /dev/null +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/05/27" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/27" + +[rule] +author = ["Elastic"] +description = "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components." +false_positives = [ + """ + Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS S3 Bucket Configuration Deletion" +references = [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html", +] +risk_score = 21 +rule_id = "227dc608-e558-43d9-b521-150772250bae" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or DeleteBucketEncryption or DeleteBucketLifecycle) and event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal on Host" +reference = "https://attack.mitre.org/techniques/T1070/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml new file mode 100644 index 000000000..4cec5326f --- /dev/null +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list." +false_positives = [ + """ + Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS WAF Access Control List Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html", +] +risk_score = 47 +rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/defense_evasion_waf_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_group_deletion.toml new file mode 100644 index 000000000..cdcd6b99b --- /dev/null +++ b/rules/aws/defense_evasion_waf_rule_group_deletion.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/06/09" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/09" + +[rule] +author = ["Elastic"] +description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule group." +false_positives = [ + """ + Firewall rule groups may be deleted by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Rule group deletions from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS WAF Rule Group Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", + "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html", +] +risk_score = 47 +rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteRuleGroup and event.dataset:aws.cloudtrail and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml new file mode 100644 index 000000000..786cced0d --- /dev/null +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2020/06/10" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/10" + +[rule] +author = ["Elastic"] +description = "Identifies an update to an AWS log trail setting that specifies the delivery of log files." +false_positives = [ + """ + Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudTrail Log Updated" +references = [ + "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html", +] +risk_score = 21 +rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:UpdateTrail and event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1492" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1492/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage Object" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml new file mode 100644 index 000000000..c4b9a0245 --- /dev/null +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2020/05/18" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log +events associated with the log group are also permanently deleted. +""" +false_positives = [ + """ + Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log + group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, + it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudWatch Log Group Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html", +] +risk_score = 47 +rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteLogGroup and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml new file mode 100644 index 000000000..9173374d1 --- /dev/null +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2020/05/20" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/20" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events +with the stream. +""" +false_positives = [ + """ + A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname + should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS CloudWatch Log Stream Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", + "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html", +] +risk_score = 47 +rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml new file mode 100644 index 000000000..22b4f2f85 --- /dev/null +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/06/05" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling +encryption by default does not change the encryption status of your existing volumes. +""" +false_positives = [ + """ + Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS EC2 Encryption Disabled" +references = [ + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", +] +risk_score = 47 +rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DisableEbsEncryptionByDefault and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1492" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1492/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml new file mode 100644 index 000000000..2c7037ca9 --- /dev/null +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/05/26" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with +the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be +deactivated before it can be deleted. +""" +false_positives = [ + """ + A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS IAM Deactivation of MFA Device" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html", +] +risk_score = 47 +rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml new file mode 100644 index 000000000..99e4bce69 --- /dev/null +++ b/rules/aws/impact_iam_group_deletion.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource +group does not delete resources that are members of the group; it only deletes the group structure. +""" +false_positives = [ + """ + A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS IAM Group Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html", +] +risk_score = 21 +rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:DeleteGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml new file mode 100644 index 000000000..288644cb3 --- /dev/null +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster or global database +cluster. +""" +false_positives = [ + """ + Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname + should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS RDS Cluster Deletion" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", +] +risk_score = 47 +rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(DeleteDBCluster or DeleteGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml new file mode 100644 index 000000000..63f72fe46 --- /dev/null +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2020/05/20" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/20" + +[rule] +author = ["Elastic"] +description = "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped." +false_positives = [ + """ + Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS RDS Instance/Cluster Stoppage" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html", +] +risk_score = 47 +rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" +severity = "medium" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(StopDBCluster or StopDBInstance) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml new file mode 100644 index 000000000..e718e2bc5 --- /dev/null +++ b/rules/aws/initial_access_console_login_root.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/06/11" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/11" + +[rule] +author = ["Elastic"] +description = "Identifies a successful login to the AWS Management Console by the Root user." +false_positives = [ + """ + It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. + Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. + Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be + exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS Management Console Root Login" +references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] +risk_score = 73 +rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" +severity = "high" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:ConsoleLogin and event.module:aws and event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and aws.cloudtrail.user_identity.type:Root and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml new file mode 100644 index 000000000..172201f7e --- /dev/null +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/06/04" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/04" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network +ACL with a specified rule number. +""" +false_positives = [ + """ + Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS EC2 Network Access Control List Creation" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html", +] +risk_score = 21 +rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1108" +name = "Redundant Access" +reference = "https://attack.mitre.org/techniques/T1108/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml new file mode 100644 index 000000000..16eb726f0 --- /dev/null +++ b/rules/aws/persistence_iam_group_creation.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/06/05" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple +users. Any user in a group automatically has the permissions that are assigned to the group. +""" +false_positives = [ + """ + A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS IAM Group Creation" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html", +] +risk_score = 21 +rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:CreateGroup and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1108" +name = "Redundant Access" +reference = "https://attack.mitre.org/techniques/T1108/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml new file mode 100644 index 000000000..fe8f6e092 --- /dev/null +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2020/05/20" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/20" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread +across multiple regions. +""" +false_positives = [ + """ + Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-20m" +index = ["filebeat-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "AWS RDS Cluster Creation" +references = [ + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", + "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html", +] +risk_score = 21 +rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" +severity = "low" +tags = ["AWS", "Elastic"] +type = "query" + +query = ''' +event.action:(CreateDBCluster or CreateGlobalCluster) and event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1108" +name = "Redundant Access" +reference = "https://attack.mitre.org/techniques/T1108/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1108" +name = "Redundant Access" +reference = "https://attack.mitre.org/techniques/T1108/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/endpoint/endpoint_adversary_behavior_detected.toml b/rules/endpoint/endpoint_adversary_behavior_detected.toml new file mode 100644 index 000000000..8b104eaa9 --- /dev/null +++ b/rules/endpoint/endpoint_adversary_behavior_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link +in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Adversary Behavior - Detected - Elastic Endpoint" +risk_score = 47 +rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event) +''' + diff --git a/rules/endpoint/endpoint_cred_dumping_detected.toml b/rules/endpoint/endpoint_cred_dumping_detected.toml new file mode 100644 index 000000000..feb5f570f --- /dev/null +++ b/rules/endpoint/endpoint_cred_dumping_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Credential Dumping - Detected - Elastic Endpoint" +risk_score = 73 +rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) +''' + diff --git a/rules/endpoint/endpoint_cred_dumping_prevented.toml b/rules/endpoint/endpoint_cred_dumping_prevented.toml new file mode 100644 index 000000000..89c0f0f88 --- /dev/null +++ b/rules/endpoint/endpoint_cred_dumping_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Credential Dumping - Prevented - Elastic Endpoint" +risk_score = 47 +rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) +''' + diff --git a/rules/endpoint/endpoint_cred_manipulation_detected.toml b/rules/endpoint/endpoint_cred_manipulation_detected.toml new file mode 100644 index 000000000..8efe9394e --- /dev/null +++ b/rules/endpoint/endpoint_cred_manipulation_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the +link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Credential Manipulation - Detected - Elastic Endpoint" +risk_score = 73 +rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) +''' + diff --git a/rules/endpoint/endpoint_cred_manipulation_prevented.toml b/rules/endpoint/endpoint_cred_manipulation_prevented.toml new file mode 100644 index 000000000..d69f593c8 --- /dev/null +++ b/rules/endpoint/endpoint_cred_manipulation_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the +link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Credential Manipulation - Prevented - Elastic Endpoint" +risk_score = 47 +rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) +''' + diff --git a/rules/endpoint/endpoint_exploit_detected.toml b/rules/endpoint/endpoint_exploit_detected.toml new file mode 100644 index 000000000..0348122cb --- /dev/null +++ b/rules/endpoint/endpoint_exploit_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Exploit - Detected - Elastic Endpoint" +risk_score = 73 +rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) +''' + diff --git a/rules/endpoint/endpoint_exploit_prevented.toml b/rules/endpoint/endpoint_exploit_prevented.toml new file mode 100644 index 000000000..1646cc750 --- /dev/null +++ b/rules/endpoint/endpoint_exploit_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Exploit - Prevented - Elastic Endpoint" +risk_score = 47 +rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) +''' + diff --git a/rules/endpoint/endpoint_malware_detected.toml b/rules/endpoint/endpoint_malware_detected.toml new file mode 100644 index 000000000..b44a47a42 --- /dev/null +++ b/rules/endpoint/endpoint_malware_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Malware - Detected - Elastic Endpoint" +risk_score = 99 +rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" +severity = "critical" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) +''' + diff --git a/rules/endpoint/endpoint_malware_prevented.toml b/rules/endpoint/endpoint_malware_prevented.toml new file mode 100644 index 000000000..822c5fac3 --- /dev/null +++ b/rules/endpoint/endpoint_malware_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Malware - Prevented - Elastic Endpoint" +risk_score = 73 +rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) +''' + diff --git a/rules/endpoint/endpoint_permission_theft_detected.toml b/rules/endpoint/endpoint_permission_theft_detected.toml new file mode 100644 index 000000000..641eb1fa9 --- /dev/null +++ b/rules/endpoint/endpoint_permission_theft_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Permission Theft - Detected - Elastic Endpoint" +risk_score = 73 +rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) +''' + diff --git a/rules/endpoint/endpoint_permission_theft_prevented.toml b/rules/endpoint/endpoint_permission_theft_prevented.toml new file mode 100644 index 000000000..ad4fc7ed9 --- /dev/null +++ b/rules/endpoint/endpoint_permission_theft_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Permission Theft - Prevented - Elastic Endpoint" +risk_score = 47 +rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) +''' + diff --git a/rules/endpoint/endpoint_process_injection_detected.toml b/rules/endpoint/endpoint_process_injection_detected.toml new file mode 100644 index 000000000..c9831e8b7 --- /dev/null +++ b/rules/endpoint/endpoint_process_injection_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Process Injection - Detected - Elastic Endpoint" +risk_score = 73 +rule_id = "80c52164-c82a-402c-9964-852533d58be1" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) +''' + diff --git a/rules/endpoint/endpoint_process_injection_prevented.toml b/rules/endpoint/endpoint_process_injection_prevented.toml new file mode 100644 index 000000000..5f43b29d8 --- /dev/null +++ b/rules/endpoint/endpoint_process_injection_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in +the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Process Injection - Prevented - Elastic Endpoint" +risk_score = 47 +rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" +severity = "medium" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) +''' + diff --git a/rules/endpoint/endpoint_ransomware_detected.toml b/rules/endpoint/endpoint_ransomware_detected.toml new file mode 100644 index 000000000..c887f6755 --- /dev/null +++ b/rules/endpoint/endpoint_ransomware_detected.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Ransomware - Detected - Elastic Endpoint" +risk_score = 99 +rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" +severity = "critical" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) +''' + diff --git a/rules/endpoint/endpoint_ransomware_prevented.toml b/rules/endpoint/endpoint_ransomware_prevented.toml new file mode 100644 index 000000000..a596bf3af --- /dev/null +++ b/rules/endpoint/endpoint_ransomware_prevented.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the +rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +""" +from = "now-15m" +index = ["endgame-*"] +interval = "10m" +language = "kuery" +license = "Elastic License" +name = "Ransomware - Prevented - Elastic Endpoint" +risk_score = 73 +rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" +severity = "high" +tags = ["Elastic", "Endpoint"] +type = "query" + +query = ''' +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) +''' + diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml new file mode 100644 index 000000000..cb3936eb9 --- /dev/null +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to +capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a +prelude to lateral movement or defense evasion. +""" +false_positives = [ + """ + Some normal use of this command may originate from server or network administrators engaged in network + troubleshooting. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Sniffing via Tcpdump" +risk_score = 21 +rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:tcpdump and event.action:executed +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml new file mode 100644 index 000000000..205b7328d --- /dev/null +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/04/24" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/24" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to +receive or send network traffic. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Disable IPTables or Firewall" +risk_score = 47 +rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml new file mode 100644 index 000000000..500dce906 --- /dev/null +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/04/27" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/27" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade +detection by security controls. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Disable Syslog Service" +risk_score = 47 +rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and ((process.name:service and process.args:stop) or (process.name:chkconfig and process.args:off) or (process.name:systemctl and process.args:(disable or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml new file mode 100644 index 000000000..63eb78b61 --- /dev/null +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/04/17" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/17" + +[rule] +author = ["Elastic"] +description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." +false_positives = [ + """ + Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be + filtered by the process executable or username values. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Base16 or Base32 Encoding/Decoding Activity" +risk_score = 21 +rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and process.name:(base16 or base32 or base32plain or base32hex) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml new file mode 100644 index 000000000..f95b6bfd1 --- /dev/null +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/04/17" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/17" + +[rule] +author = ["Elastic"] +description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." +false_positives = [ + """ + Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be + filtered by the process executable or username values. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Base64 Encoding/Decoding Activity" +risk_score = 21 +rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and process.name:(base64 or base64plain or base64url or base64mime or base64pem) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml new file mode 100644 index 000000000..5b5494c8e --- /dev/null +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/05/04" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/06/24" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic +investigations. +""" +index = ["auditbeat-*"] +language = "lucene" +license = "Elastic License" +name = "Deletion of Bash Command Line History" +risk_score = 47 +rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed AND process.name:rm AND process.args:/\/(home\/.{1,255}|root)\/\.bash_history/ +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1146" +name = "Clear Command History" +reference = "https://attack.mitre.org/techniques/T1146/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml new file mode 100644 index 000000000..abb80e89c --- /dev/null +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/04/22" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to +support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and +activities. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential Disabling of SELinux" +risk_score = 47 +rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.name:setenforce and process.args:0 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml new file mode 100644 index 000000000..604099ad7 --- /dev/null +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/04/27" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/27" + +[rule] +author = ["Elastic"] +description = """ +Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within +a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or +remove them at the end as part of the post-intrusion cleanup process. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "File Deletion via Shred" +risk_score = 21 +rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and process.name:shred and process.args:("-u" or "--remove" or "-z" or "--zero") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1107" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1107/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml new file mode 100644 index 000000000..dd2b2cb3c --- /dev/null +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/04/21" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files +or payloads into a writable directory and change permissions prior to execution. +""" +false_positives = [ + """ + Certain programs or applications may modify files or change ownership in writable directories. These can be exempted + by username. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "File Permission Modification in Writable Directory" +risk_score = 21 +rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:(/tmp or /var/tmp or /dev/shm) and not user.name:root +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml new file mode 100644 index 000000000..fb6d07a9f --- /dev/null +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/04/17" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/17" + +[rule] +author = ["Elastic"] +description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." +false_positives = [ + """ + Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be + filtered by the process executable or username values. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Hex Encoding/Decoding Activity" +risk_score = 21 +rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed or process_started) and process.name:(hex or xxd) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml new file mode 100644 index 000000000..0f0727f79 --- /dev/null +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/04/29" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/29" + +[rule] +author = ["Elastic"] +description = """ +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. +Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. +This rule looks for hidden files or folders in common writable directories. +""" +false_positives = [ + """ + Certain tools may create hidden temporary files or directories upon installation or as part of their normal + behavior. These events can be filtered by the process arguments, username, or process name values. + """, +] +index = ["auditbeat-*"] +language = "lucene" +license = "Elastic License" +max_signals = 33 +name = "Creation of Hidden Files and Directories" +risk_score = 47 +rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed AND process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND NOT process.name:(cd or ls or find) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1158" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1158/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1158" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1158/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml new file mode 100644 index 000000000..d401138c4 --- /dev/null +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/04/24" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/24" + +[rule] +author = ["Elastic"] +description = """ +Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the +functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel +module. +""" +false_positives = [ + """ + There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. + Note that some Linux distributions are not built to support the removal of modules at all. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Kernel Module Removal" +references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] +risk_score = 73 +rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.args:(rmmod and sudo or modprobe and sudo and ("--remove" or "-r")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1215" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1215/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml new file mode 100644 index 000000000..b75fb2e6b --- /dev/null +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/04/23" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/23" + +[rule] +author = ["Elastic"] +description = """ +Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They +extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate +information about a kernel module. +""" +false_positives = [ + """ + Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs + by ordinary users is uncommon. These can be exempted by process name or username. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Enumeration of Kernel Modules" +risk_score = 47 +rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml new file mode 100644 index 000000000..07de4f224 --- /dev/null +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/04/27" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/27" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies +common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy +RAT and other malware. +""" +false_positives = [ + """ + Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or + process arguments to eliminate potential noise. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Virtual Machine Fingerprinting" +risk_score = 73 +rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.args:("/sys/class/dmi/id/bios_version" or "/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml new file mode 100644 index 000000000..47993b690 --- /dev/null +++ b/rules/linux/discovery_whoami_commmand.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for +privileged access. +""" +false_positives = [ + """ + Security testing tools and frameworks may run this command. Some normal use of this command may originate from + automation tools and frameworks. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "User Discovery via Whoami" +risk_score = 21 +rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:whoami and event.action:executed +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml new file mode 100644 index 000000000..7ad4d2f41 --- /dev/null +++ b/rules/linux/execution_perl_tty_shell.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/04/16" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully +interactive tty after obtaining initial access to a host. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Interactive Terminal Spawned via Perl" +risk_score = 73 +rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command-Line Interface" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml new file mode 100644 index 000000000..8305bca95 --- /dev/null +++ b/rules/linux/execution_python_tty_shell.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/04/15" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully +interactive tty after obtaining initial access to a host. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Interactive Terminal Spawned via Python" +risk_score = 73 +rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:executed and process.name:python and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or "import pty; pty.spawn(\"/bin/bash\")") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command-Line Interface" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml new file mode 100644 index 000000000..0b55d9134 --- /dev/null +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2020/04/23" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/23" + +[rule] +author = ["Elastic"] +description = """ +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet +network connections to publicly routable IP addresses. +""" +false_positives = [ + """ + Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, + so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent + years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be + suspicious. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Connection to External Network via Telnet" +risk_score = 47 +rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:("connected-to" or "network_flow") and process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml new file mode 100644 index 000000000..fdf65515c --- /dev/null +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2020/04/23" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/23" + +[rule] +author = ["Elastic"] +description = """ +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet +network connections to non-publicly routable IP addresses. +""" +false_positives = [ + """ + Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, + so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent + years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be + suspicious. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Connection to Internal Network via Telnet" +risk_score = 47 +rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:("connected-to" or "network_flow") and process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml new file mode 100644 index 000000000..18bc77c1a --- /dev/null +++ b/rules/linux/linux_hping_activity.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets +for a wide variety of network security testing applications, including scanning and firewall auditing. +""" +false_positives = [ + """ + Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very + uncommon. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Hping Process Activity" +references = ["https://en.wikipedia.org/wiki/Hping"] +risk_score = 73 +rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:(hping or hping2 or hping3) and event.action:executed +''' + diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml new file mode 100644 index 000000000..07b1096e9 --- /dev/null +++ b/rules/linux/linux_iodine_activity.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, +network security groups, and network access lists while evading detection. +""" +false_positives = [ + """ + Normal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very + uncommon. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential DNS Tunneling via Iodine" +references = ["https://code.kryo.se/iodine/"] +risk_score = 73 +rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" +severity = "high" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:(iodine or iodined) and event.action:executed +''' + diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml new file mode 100644 index 000000000..4ada2fee2 --- /dev/null +++ b/rules/linux/linux_mknod_activity.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. +It is used to export a command shell when the traditional version of netcat is not available to the payload. +""" +false_positives = [ + """ + Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from + scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Mknod Process Activity" +references = ["https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem"] +risk_score = 21 +rule_id = "61c31c14-507f-4627-8c31-072556b89a9c" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:mknod and event.action:executed +''' + diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml new file mode 100644 index 000000000..7c195d0ab --- /dev/null +++ b/rules/linux/linux_netcat_network_connection.toml @@ -0,0 +1,39 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by +exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data +exfiltration. +""" +false_positives = [ + """ + Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux + distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may + originate from scripts, automation tools, and frameworks. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Netcat Network Activity" +references = [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat", +] +risk_score = 47 +rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:(nc or ncat or netcat or netcat.openbsd or netcat.traditional) and event.action:(bound-socket or connected-to or socket_opened) +''' + diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml new file mode 100644 index 000000000..f003bf0d1 --- /dev/null +++ b/rules/linux/linux_nmap_activity.toml @@ -0,0 +1,35 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and +discover networks, and identify listening services and operating systems. It is sometimes used to gather information in +support of exploitation, execution or lateral movement. +""" +false_positives = [ + """ + Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this + command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is + uncommon. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Nmap Process Activity" +references = ["https://en.wikipedia.org/wiki/Nmap"] +risk_score = 21 +rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:nmap +''' + diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml new file mode 100644 index 000000000..d901685e9 --- /dev/null +++ b/rules/linux/linux_nping_activity.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide +variety of security testing applications, including denial of service testing. +""" +false_positives = [ + """ + Some normal use of this command may originate from security engineers and network or server administrators, but this + is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Nping Process Activity" +references = ["https://en.wikipedia.org/wiki/Nmap"] +risk_score = 47 +rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:nping and event.action:executed +''' + diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml new file mode 100644 index 000000000..4bcd55d54 --- /dev/null +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -0,0 +1,29 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware." +false_positives = [ + """ + Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by + username. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Unusual Process Execution - Temp" +risk_score = 47 +rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.working_directory:/tmp and event.action:executed +''' + diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml new file mode 100644 index 000000000..185c69039 --- /dev/null +++ b/rules/linux/linux_socat_activity.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, +or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. +""" +false_positives = [ + """ + Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at + varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is + more likely to be suspicious. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Socat Process Activity" +references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"] +risk_score = 47 +rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:socat and not process.args:-V and event.action:executed +''' + diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml new file mode 100644 index 000000000..5fb37a46e --- /dev/null +++ b/rules/linux/linux_strace_activity.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Strace runs in a privileged context and can be used to escape restrictive environments by instantiating a shell in order +to elevate privileges or move laterally. +""" +false_positives = [ + """ + Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may + originate from developers or SREs engaged in debugging or system call tracing. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Strace Process Activity" +references = ["https://en.wikipedia.org/wiki/Strace"] +risk_score = 21 +rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:strace and event.action:executed +''' + diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml new file mode 100644 index 000000000..f6edf09d8 --- /dev/null +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts." +false_positives = [ + """ + Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these + programs by ordinary users is uncommon. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Persistence via Kernel Module Modification" +references = [ + "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM", +] +risk_score = 21 +rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:(insmod or kmod or modprobe or rmod) and event.action:executed +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1215" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1215/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml new file mode 100644 index 000000000..4c5d3c683 --- /dev/null +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access." +false_positives = [ + """ + Network monitoring or management products may have a web server component that runs shell commands as part of normal + behavior. + """, +] +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential Shell via Web Server" +references = ["https://pentestlab.blog/tag/web-shell/"] +risk_score = 47 +rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" +severity = "medium" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +process.name:(bash or dash) and user.name:(apache or nginx or www or "www-data") and event.action:executed +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1100" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1100/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml new file mode 100644 index 000000000..12bc29c34 --- /dev/null +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/04/23" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/23" + +[rule] +author = ["Elastic"] +description = """ +An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning +group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application +with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism +on their own malware to make sure they're able to execute in elevated contexts in the future. +""" +index = ["auditbeat-*"] +language = "lucene" +license = "Elastic License" +max_signals = 33 +name = "Setgid Bit Set via chmod" +risk_score = 21 +rule_id = "3a86e085-094c-412d-97ff-2439731e59cb" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed OR process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1166" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1166/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1166" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1166/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml new file mode 100644 index 000000000..4a69da17b --- /dev/null +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/04/23" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/23" + +[rule] +author = ["Elastic"] +description = """ +An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning +user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application +with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism +on their own malware to make sure they're able to execute in elevated contexts in the future. +""" +index = ["auditbeat-*"] +language = "lucene" +license = "Elastic License" +max_signals = 33 +name = "Setuid Bit Set via chmod" +risk_score = 21 +rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1166" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1166/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1166" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1166/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml new file mode 100644 index 000000000..9a379d8c9 --- /dev/null +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/04/13" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/04/13" + +[rule] +author = ["Elastic"] +description = """ +A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take +advantage of these configurations to execute commands as other users or spawn processes with higher privileges. +""" +index = ["auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Sudoers File Modification" +risk_score = 21 +rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" +severity = "low" +tags = ["Elastic", "Linux"] +type = "query" + +query = ''' +event.module:file_integrity and event.action:updated and file.path:/etc/sudoers +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1169" +name = "Sudo" +reference = "https://attack.mitre.org/techniques/T1169/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml new file mode 100644 index 000000000..d653ad131 --- /dev/null +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate +command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network +activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that +allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network +applications. +""" +false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_network_activity_ecs" +name = "Unusual Linux Network Activity" +note = """### Investigating Unusual Network Activity ### +Signals from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation: +- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml new file mode 100644 index 000000000..eafee5439 --- /dev/null +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -0,0 +1,27 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data +exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate +unauthorized access or threat actor activity. +""" +false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_network_port_activity_ecs" +name = "Unusual Linux Network Port Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml new file mode 100644 index 000000000..3b8e61c99 --- /dev/null +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -0,0 +1,26 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies unusual listening ports on Linux instances that can indicate execution of unauthorized services, backdoors, +or persistence mechanisms. +""" +false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_network_service" +name = "Unusual Linux Network Service" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml new file mode 100644 index 000000000..3adfeba4b --- /dev/null +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and +execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is +entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, +Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download +additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity. +""" +false_positives = [ + """ + A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting + could trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_network_url_activity_ecs" +name = "Unusual Linux Web Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml new file mode 100644 index 000000000..6b0615a08 --- /dev/null +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of +false positives since automated maintenance processes usually only run occasionally on a single machine but are common +to all or many hosts in a fleet. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs" +name = "Anomalous Process For a Linux Population" +note = """### Investigating an Unusual Linux Process ### +Signals from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml new file mode 100644 index 000000000..993fae1ac --- /dev/null +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized +changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new +usernames are not often created apart from specific types of system activities, such as creating new accounts for new +employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to +suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when +personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for +malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move +laterally from one host to another. +""" +false_positives = [ + """ + Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual + troubleshooting or reconfiguration. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_anomalous_user_name_ecs" +name = "Unusual Linux Username" +note = """### Investigating an Unusual Linux User ### +Signals from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer? +- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml new file mode 100644 index 000000000..84e218f5d --- /dev/null +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -0,0 +1,33 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often +used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. +For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel +data. +""" +false_positives = [ + """ + DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger + this signal and such parent domains can be excluded. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "packetbeat_dns_tunneling" +name = "DNS Tunneling" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" +severity = "low" +tags = ["Elastic", "ML", "Packetbeat"] +type = "machine_learning" + diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml new file mode 100644 index 000000000..53c5315f5 --- /dev/null +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. +This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user +clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload +from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware +uses for command-and-control communication. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. Network activity that occurs rarely, in small quantities, can trigger this signal. Possible examples are + browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may + trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "packetbeat_rare_dns_question" +name = "Unusual DNS Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "746edc4c-c54c-49c6-97a1-651223819448" +severity = "low" +tags = ["Elastic", "ML", "Packetbeat"] +type = "machine_learning" + diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml new file mode 100644 index 000000000..8dd1d5217 --- /dev/null +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual network destination domain name. This can be due to initial access, +persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing +email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server +name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for +command-and-control communication. +""" +false_positives = [ + """ + Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing + technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may + trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may + trigger this when they are used sparsely. Web domains can be excluded in cases such as these. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "packetbeat_rare_server_domain" +name = "Unusual Network Destination Domain Name" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" +severity = "low" +tags = ["Elastic", "ML", "Packetbeat"] +type = "machine_learning" + diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml new file mode 100644 index 000000000..3af3d0077 --- /dev/null +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -0,0 +1,39 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to +initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise +or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted +users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. +When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for +command-and-control communication. When rare URLs are observed being requested for a local web server by a remote +source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers +which are part of common Internet background traffic. +""" +false_positives = [ + """ + Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing + technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may + trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may + trigger this when they are used sparsely. Web domains can be excluded in cases such as these. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "packetbeat_rare_urls" +name = "Unusual Web Request" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" +severity = "low" +tags = ["Elastic", "ML", "Packetbeat"] +type = "machine_learning" + diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml new file mode 100644 index 000000000..fb06c72cc --- /dev/null +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process +other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user +agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which +are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools +like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from +local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or +stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning +activity. +""" +false_positives = [ + """ + Web activity that is uncommon, like security scans, may trigger this signal and may need to be excluded. A new or + rarely used program that calls web services may trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "packetbeat_rare_user_agent" +name = "Unusual Web User Agent" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" +severity = "low" +tags = ["Elastic", "ML", "Packetbeat"] +type = "machine_learning" + diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml new file mode 100644 index 000000000..190287daf --- /dev/null +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized +services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared +with other processes running on the host. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "rare_process_by_host_linux_ecs" +name = "Unusual Process For a Linux Host" +note = """### Investigating an Unusual Linux Process ### +Signals from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml new file mode 100644 index 000000000..f9344f615 --- /dev/null +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized +services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared +with other processes running on the host. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "rare_process_by_host_windows_ecs" +name = "Unusual Process For a Windows Host" +note = """### Investigating an Unusual Windows Process ### +Signals from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. +- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml new file mode 100644 index 000000000..559b427c9 --- /dev/null +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -0,0 +1,28 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = "Identifies an unusually high number of authentication attempts." +false_positives = [ + """ + Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured + applications or account lockouts could trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "suspicious_login_activity_ecs" +name = "Unusual Login Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml new file mode 100644 index 000000000..fd4a04369 --- /dev/null +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -0,0 +1,38 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies Windows processes that do not usually use the network but have unexpected network activity, which can +indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual +network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms +that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized +network applications. +""" +false_positives = ["A newly installed program or one that rarely uses the network could trigger this signal."] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_network_activity_ecs" +name = "Unusual Windows Network Activity" +note = """### Investigating Unusual Network Activity ### +Signals from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: +- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? +- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. +- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml new file mode 100644 index 000000000..edac29c0e --- /dev/null +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -0,0 +1,34 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies processes started from atypical folders in the file system, which might indicate malware execution or +persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual +for programs to be executed from user or temporary directories. Processes executed from these locations can denote that +a user downloaded software directly from the Internet or a malicious script or macro executed malware. +""" +false_positives = [ + """ + A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting + could trigger this signal. Users downloading and running programs from unusual locations, such as temporary + directories, browser caches, or profile paths could trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_path_activity_ecs" +name = "Unusual Windows Path Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml new file mode 100644 index 000000000..395b9207e --- /dev/null +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false +positives since automated maintenance processes usually only run occasionally on a single machine but are common to all +or many hosts in a fleet. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs" +name = "Anomalous Process For a Windows Population" +note = """### Investigating an Unusual Windows Process ### +Signals from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? +- Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. +- Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. +- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml new file mode 100644 index 000000000..4029f3308 --- /dev/null +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. +Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a +malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter +process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running +an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is +a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners. +""" +false_positives = [ + """ + Users running scripts in the course of technical support operations of software upgrades could trigger this signal. + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_process_creation" +name = "Anomalous Windows Process Creation" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml new file mode 100644 index 000000000..66172bf9f --- /dev/null +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -0,0 +1,31 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be +a characteristic of malicious PowerShell script text blocks. +""" +false_positives = [ + """ + Certain kinds of security testing may trigger this signal. PowerShell scripts that use high levels of obfuscation or + have unusual script block payloads may trigger this signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_script" +name = "Suspicious Powershell Script" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml new file mode 100644 index 000000000..0e8ed05b3 --- /dev/null +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -0,0 +1,32 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, +malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique +services. This job helps detect malware and persistence mechanisms that have been installed and run as a service. +""" +false_positives = [ + """ + A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this + signal. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_service" +name = "Unusual Windows Service" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml new file mode 100644 index 000000000..095ca04e1 --- /dev/null +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -0,0 +1,43 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized +changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new +usernames are not often created apart from specific types of system activities, such as creating new accounts for new +employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to +suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when +personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for +malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move +laterally from one host to another. +""" +false_positives = [ + """ + Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server + in order to perform manual troubleshooting or reconfiguration. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_anomalous_user_name_ecs" +name = "Unusual Windows Username" +note = """### Investigating an Unusual Windows User ### +Signals from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? +- Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. +- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. +- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml new file mode 100644 index 000000000..b14b1b0b7 --- /dev/null +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -0,0 +1,32 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can +indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas +are more commonly used by domain and network administrators than by regular Windows users. +""" +false_positives = [ + """ + Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user + performing manual troubleshooting or reconfiguration. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_rare_user_runas_event" +name = "Unusual Windows User Privilege Elevation Activity" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml new file mode 100644 index 000000000..e9677526c --- /dev/null +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover +or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual +usernames. +""" +false_positives = [ + """ + Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual + troubleshooting or reconfiguration. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "windows_rare_user_type10_remote_login" +name = "Unusual Windows Remote User" +note = """### Investigating an Unusual Windows User ### +Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: +- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? +- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" +references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" +severity = "low" +tags = ["Elastic", "ML", "Windows"] +type = "machine_learning" + diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml new file mode 100644 index 000000000..e4759fea0 --- /dev/null +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior +for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, +misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and +logging of DNS, and opens your network to a variety of abuses and malicious communications. +""" +false_positives = [ + """ + Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined + in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. + This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon + DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet + destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "DNS Activity to the Internet" +references = [ + "https://www.us-cert.gov/ncas/alerts/TA15-240A", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf", +] +risk_score = 47 +rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or + 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml new file mode 100644 index 000000000..cee95fda2 --- /dev/null +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may indicate the use of FTP network connections to the Internet. The File Transfer +Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your +network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data +from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose +usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be +unauthorized. +""" +false_positives = [ + """ + FTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for + data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP + activity involving an unusual source or destination may be more suspicious. FTP activity involving a production + server that has no known associated FTP workflow or business requirement is often suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "FTP (File Transfer Protocol) Activity to the Internet" +risk_score = 21 +rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(20 or 21) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml new file mode 100644 index 000000000..e48d22395 --- /dev/null +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol +that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and +data transfers to and from a network. +""" +false_positives = [ + """ + IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC + activity involving an unusual source or destination may be more suspicious. IRC activity involving a production + server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain + conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. + In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon + and usually only appears in local traffic using private IPs, which does not match this rule's conditions. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "IRC (Internet Relay Chat) Protocol Activity to the Internet" +risk_score = 47 +rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(6667 or 6697) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml new file mode 100644 index 000000000..cd7a1e31e --- /dev/null +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one +system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet +where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also +used by threat actors to avoid detection. +""" +false_positives = [ + """ + Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be + unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain + conditions, such as when an application server with a public IP address replies to a client which has used a UDP + port in the range by coincidence. This is uncommon but such servers can be excluded. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "IPSEC NAT Traversal Port Activity" +risk_score = 21 +rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:udp and destination.port:4500 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml new file mode 100644 index 000000000..9f7ea251c --- /dev/null +++ b/rules/network/command_and_control_port_26_activity.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular +mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family +called BadPatch for command and control of Windows systems. +""" +false_positives = [ + """ + Servers that process email traffic may cause false positives and should be excluded from this rule as this is + expected behavior. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SMTP on Port 26/TCP" +references = [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/", +] +risk_score = 21 +rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:26 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml new file mode 100644 index 000000000..9ace7be07 --- /dev/null +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +TCP Port 8000 is commonly used for development environments of web server software. It generally should not be exposed +directly to the Internet. If you are running software like this on the Internet, you should consider placing it behind a +reverse proxy. +""" +false_positives = [ + """ + Because this port is in the ephemeral range, this rule may false under certain conditions, such as when a NATed web + server replies to a client which has used a port in the range by coincidence. In this case, such servers can be + excluded. Some applications may use this port but this is very uncommon and usually appears in local traffic using + private IPs, which this rule does not match. Some cloud environments, particularly development environments, may use + this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "TCP Port 8000 Activity to the Internet" +risk_score = 21 +rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:8000 and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml new file mode 100644 index 000000000..f84f7ee36 --- /dev/null +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of +connections to tunnel their traffic while avoiding detection. +""" +false_positives = [ + """ + Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage + that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use + this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when + an application server replies to a client that used this port by coincidence. This is uncommon but such servers can + be excluded. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "PPTP (Point to Point Tunneling Protocol) Activity" +risk_score = 21 +rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:1723 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml new file mode 100644 index 000000000..03dc4d93e --- /dev/null +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may describe network events of proxy use to the Internet. It includes popular HTTP proxy +ports and SOCKS proxy ports. Typically, environments will use an internal IP address for a proxy server. It can also be +used to circumvent network controls and detection mechanisms. +""" +false_positives = [ + """ + Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this + rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually + local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if + desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or + destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not + in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this + rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in + the range by coincidence. In this case, such servers can be excluded if desired. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Proxy Port Activity to the Internet" +risk_score = 47 +rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(1080 or 3128 or 8080) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml new file mode 100644 index 000000000..a8661453e --- /dev/null +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +false_positives = [ + """ + Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or + network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some + networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected + expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such + as remote access and support for specialized software products and servers. Such work-flows are usually known and + not unexpected. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "RDP (Remote Desktop Protocol) from the Internet" +risk_score = 47 +rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:3389 and + not source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml new file mode 100644 index 000000000..d3907563a --- /dev/null +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may describe SMTP traffic from internal hosts to a host across the Internet. In an +enterprise network, there is typically a dedicated internal host that performs this function. It is also frequently +abused by threat actors for command and control, or data exfiltration. +""" +false_positives = [ + """ + NATed servers that process email traffic may false and should be excluded from this rule as this is expected + behavior for them. Consumer and personal devices may send email traffic to remote Internet destinations. In this + case, such devices or networks can be excluded from this rule if this is expected behavior. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SMTP to the Internet" +risk_score = 21 +rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(25 or 465 or 587) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml new file mode 100644 index 000000000..77f719be4 --- /dev/null +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. +Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to +gain initial access to network resources. +""" +false_positives = [ + """ + Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed + web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be + excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and + database instances are accessed directly across the Internet. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SQL Traffic to the Internet" +risk_score = 47 +rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(1433 or 1521 or 3336 or 5432) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml new file mode 100644 index 000000000..0b19aaaca --- /dev/null +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -0,0 +1,78 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by +system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it +should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial +access or back-door vector. +""" +false_positives = [ + """ + Some network security policies allow SSH directly from the Internet but usage that is unfamiliar to server or + network owners can be unexpected and suspicious. SSH services may be exposed directly to the Internet in some + networks such as cloud environments. In such cases, only SSH gateways, bastions or jump servers may be expected + expose SSH directly to the Internet and can be exempted from this rule. SSH may be required by some work-flows such + as remote access and support for specialized software products and servers. Such work-flows are usually known and + not unexpected. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SSH (Secure Shell) from the Internet" +risk_score = 47 +rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:22 and + not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") and + destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml new file mode 100644 index 000000000..8317c02cb --- /dev/null +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by +system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it +should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial +access or back-door vector. +""" +false_positives = [ + """ + SSH connections may be made directly to Internet destinations in order to access Linux cloud server instances but + such connections are usually made only by engineers. In such cases, only SSH gateways, bastions or jump servers may + be expected Internet destinations and can be exempted from this rule. SSH may be required by some work-flows such as + remote access and support for specialized software products and servers. Such work-flows are usually known and not + unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SSH (Secure Shell) to the Internet" +risk_score = 21 +rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:22 and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml new file mode 100644 index 000000000..c9dffe729 --- /dev/null +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system +administrators to remotely control older or embed ed systems using the command line shell. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing +the traffic. +""" +false_positives = [ + """ + IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business + work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet + activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production + server that has no known associated Telnet work-flow or business requirement is often suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Telnet Port Activity" +risk_score = 47 +rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:23 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml new file mode 100644 index 000000000..a535f83df --- /dev/null +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of Tor traffic to the Internet. Tor is a network protocol +that sends traffic through a series of encrypted tunnels used to conceal a user's location and usage. Tor may be used by +threat actors as an alternate communication pathway to conceal the actor's identity and avoid detection. +""" +false_positives = [ + """ + Tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks + where few security policies apply. Because these ports are in the ephemeral range, this rule may false under certain + conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In + this case, such servers can be excluded if desired. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Tor Activity to the Internet" +risk_score = 47 +rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(9001 or 9030) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Commonly Used Port" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1188" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1188/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml new file mode 100644 index 000000000..de130929a --- /dev/null +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +false_positives = [ + """ + VNC connections may be received directly to Linux cloud server instances but such connections are usually made only + by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and + support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage + that is unfamiliar to server or network owners can be unexpected and suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "VNC (Virtual Network Computing) from the Internet" +risk_score = 73 +rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" +severity = "high" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and + not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") and + destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml new file mode 100644 index 000000000..f48467972 --- /dev/null +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +false_positives = [ + """ + VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by + engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and + support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage + that is unfamiliar to server or network owners can be unexpected and suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "VNC (Virtual Network Computing) to the Internet" +risk_score = 47 +rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" +severity = "medium" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml new file mode 100644 index 000000000..fbdb638d7 --- /dev/null +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +false_positives = [ + """ + RDP connections may be made directly to Internet destinations in order to access Windows cloud server instances but + such connections are usually made only by engineers. In such cases, only RDP gateways, bastions or jump servers may + be expected Internet destinations and can be exempted from this rule. RDP may be required by some work-flows such as + remote access and support for specialized software products and servers. Such work-flows are usually known and not + unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "RDP (Remote Desktop Protocol) to the Internet" +risk_score = 21 +rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" +severity = "low" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:3389 and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1043" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1043/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml new file mode 100644 index 000000000..63a2998e9 --- /dev/null +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "RPC (Remote Procedure Call) from the Internet" +risk_score = 73 +rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" +severity = "high" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:135 and + not source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") and + destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml new file mode 100644 index 000000000..e263bacaf --- /dev/null +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by +system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be +directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or +back-door vector. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "RPC (Remote Procedure Call) to the Internet" +risk_score = 73 +rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" +severity = "high" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:135 and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml new file mode 100644 index 000000000..ecf3192c7 --- /dev/null +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to +the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted +systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by +threat actors as an initial access or back-door vector or for data exfiltration. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "SMB (Windows File Sharing) Activity to the Internet" +risk_score = 73 +rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" +severity = "high" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +network.transport:tcp and destination.port:(139 or 445) and + source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and + not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml new file mode 100644 index 000000000..64e361f82 --- /dev/null +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in +order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempted Bypass of Okta MFA" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 73 +rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" +severity = "high" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.mfa.attempt_bypass +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1111" +name = "Two-Factor Authentication Interception" +reference = "https://attack.mitre.org/techniques/T1111/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml new file mode 100644 index 000000000..359d66826 --- /dev/null +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to +disrupt an organization's business operations. +""" +false_positives = [ + """ + If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false + positives. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Revoke Okta API Token" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:system.api_token.revoke +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml new file mode 100644 index 000000000..a72537ab7 --- /dev/null +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to disrupt an organization's business operations by performing a denial of service (DoS) attack +against its Okta infrastructure. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Possible Okta DoS Attack" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" +severity = "medium" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml new file mode 100644 index 000000000..5b9e2cc50 --- /dev/null +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -0,0 +1,81 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a user reports suspicious activity for their Okta account. These events should be investigated, +as they can help security teams identify when an adversary is attempting to gain access to their network. +""" +false_positives = ["A user may report suspicious activity on their Okta account in error."] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious Activity Reported by Okta User" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" +severity = "medium" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml new file mode 100644 index 000000000..02b13d1c2 --- /dev/null +++ b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to deactivate an Okta multi-factor authentication (MFA) rule in order to remove or weaken an +organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in + your organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Deactivate Okta MFA Rule" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:policy.rule.deactivate +''' + diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml new file mode 100644 index 000000000..9c9c279c3 --- /dev/null +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/05/28" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/28" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, +an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the +authentication requirements for user accounts. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your + organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Delete Okta Policy" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:policy.lifecycle.delete +''' + diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml new file mode 100644 index 000000000..1bdc17a3d --- /dev/null +++ b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml @@ -0,0 +1,36 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to modify an Okta multi-factor authentication (MFA) rule in order to remove or weaken an +organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your + organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Modify Okta MFA Rule" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:(policy.rule.update or policy.rule.delete) +''' + diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml new file mode 100644 index 000000000..fad921eaa --- /dev/null +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An +adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an +organization's security controls. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are + regularly modified. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Modify Okta Network Zone" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" +severity = "medium" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:(zone.update or zone.deactivate or zone.delete or network_zone.rule.disabled or zone.remove_blacklist) +''' + diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml new file mode 100644 index 000000000..639e8c337 --- /dev/null +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, +an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the +authentication requirements for user accounts. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your + organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Modify Okta Policy" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:policy.lifecycle.update +''' + diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml new file mode 100644 index 000000000..6acf3f031 --- /dev/null +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -0,0 +1,31 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from +IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential +based attacks against their organization, such as brute force and password spraying attacks. +""" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Threat Detected by Okta ThreatInsight" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 47 +rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" +severity = "medium" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:security.threat.detected +''' + diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml new file mode 100644 index 000000000..d648597f8 --- /dev/null +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions +to compromised user accounts. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if administrator privileges are regularly assigned + to Okta groups in your organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Administrator Privileges Assigned to Okta Group" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "b8075894-0b62-46e5-977c-31275da34419" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:group.privilege.grant +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml new file mode 100644 index 000000000..b1678bea8 --- /dev/null +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve +their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling +security rules or policies. +""" +false_positives = [ + """ + If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false + positives. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Create Okta API Token" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:system.api_token.create +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml new file mode 100644 index 000000000..35f7ea74f --- /dev/null +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/20" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/20" + +[rule] +author = ["Elastic"] +description = """ +An adversary may deactivate multi-factor authentication (MFA) for an Okta user account in order to weaken the +authentication requirements for the account. +""" +false_positives = [ + """ + If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to + filter false positives. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Deactivate MFA for Okta User Account" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.mfa.factor.deactivate +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml new file mode 100644 index 000000000..0cc09633b --- /dev/null +++ b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For +example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the +authentication requirements for user accounts. +""" +false_positives = [ + """ + If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false + positives. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Deactivate Okta Policy" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:policy.lifecycle.deactivate +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml new file mode 100644 index 000000000..852b1cafe --- /dev/null +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/05/21" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/05/21" + +[rule] +author = ["Elastic"] +description = """ +An adversary may attempt to remove the multi-factor authentication (MFA) factors registered on an Okta user's account in +order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. +""" +false_positives = [ + """ + Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are + regularly reset in your organization. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Attempt to Reset MFA Factors for Okta User Account" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", +] +risk_score = 21 +rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" +severity = "low" +tags = ["Elastic", "Okta"] +type = "query" + +query = ''' +event.dataset:okta.system and event.action:user.mfa.factor.reset_all +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml new file mode 100644 index 000000000..7cfd55586 --- /dev/null +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/19" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or +malware, from a remote URL. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via Certutil" +risk_score = 21 +rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:certutil.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Remote File Copy" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml new file mode 100755 index 000000000..1dda8346c --- /dev/null +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows +credential management. This technique is sometimes used for credential dumping. +""" +false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Loading Windows Credential Libraries" +risk_score = 73 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and + process.name: MSBuild.exe and event.action: "Image loaded (rule: ImageLoad)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml new file mode 100644 index 000000000..00a44f62f --- /dev/null +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Adding Hidden File Attribute via Attrib" +risk_score = 21 +rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:attrib.exe and process.args:+h +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1158" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1158/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1158" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1158/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml new file mode 100644 index 000000000..43b54c591 --- /dev/null +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection +or destroy forensic evidence on a system. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Clearing Windows Event Logs" +risk_score = 21 +rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:wevtutil.exe and process.args:cl or process.name:powershell.exe and process.args:Clear-EventLog +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal on Host" +reference = "https://attack.mitre.org/techniques/T1070/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml new file mode 100644 index 000000000..687cea155 --- /dev/null +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/03/19" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/19" + +[rule] +author = ["Elastic"] +description = """ +A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) +certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a +malicious executable, making it appear the file was from a trusted, legitimate source. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" +risk_score = 21 +rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.provider:"Microsoft-Windows-Audit-CVE" and message:"[CVE-2020-0601]" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1116" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1116/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml new file mode 100644 index 000000000..8b8fc9fde --- /dev/null +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence +of files created during post-exploitation activities. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Delete Volume USN Journal with Fsutil" +risk_score = 21 +rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:fsutil.exe and process.args:(deletejournal and usn) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1107" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1107/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml new file mode 100644 index 000000000..affc6fc60 --- /dev/null +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent +system recovery. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Deleting Backup Catalogs with Wbadmin" +risk_score = 21 +rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:wbadmin.exe and process.args:(catalog and delete) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1107" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1107/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml new file mode 100644 index 000000000..e88b9addb --- /dev/null +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to +disable the firewall during troubleshooting or to enable network mobility. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Disable Windows Firewall Rules via Netsh" +risk_score = 47 +rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:netsh.exe and process.args:(disable and firewall and set) or process.args:(advfirewall and off and state) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml new file mode 100644 index 000000000..0a84b2f68 --- /dev/null +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of certutil.exe to encode or decode data. CertUtil is a native Windows component which is part of +Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and +control or exfiltration. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Encoding or Decoding Files via CertUtil" +risk_score = 47 +rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:certutil.exe and process.args:(-decode or -encode or /decode or /encode) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml new file mode 100755 index 000000000..594460d2f --- /dev/null +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build +Engine and could have been caused by an Excel or Word document executing a malicious script payload. +""" +false_positives = [ + """ + The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for + this program to be started by an Office application like Word or Excel. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Started by an Office Application" +references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] +risk_score = 73 +rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:MSBuild.exe and + process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or + mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and + event.action: "Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml new file mode 100755 index 000000000..4d5dbc31f --- /dev/null +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This +behavior is unusual and is sometimes used by malicious payloads. +""" +false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Started by a Script Process" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and + event.action:"Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml new file mode 100755 index 000000000..558b1569c --- /dev/null +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management +Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. +""" +false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Started by a System Process" +risk_score = 47 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:MSBuild.exe and process.parent.name:(explorer.exe or wmiprvse.exe) and + event.action:"Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml new file mode 100755 index 000000000..5338266e4 --- /dev/null +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -0,0 +1,43 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may +indicate an attempt to run unnoticed or undetected. +""" +false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Using an Alternate Name" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +(pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName: MSBuild.exe) and + not process.name: MSBuild.exe and + event.action: "Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml new file mode 100755 index 000000000..b638e1067 --- /dev/null +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. +This technique is sometimes used to deploy a malicious payload using the Build Engine. +""" +false_positives = [ + """ + The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system + triggers this rule it can be exempted by process, user or host name. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Microsoft Build Engine Started an Unusual Process" +references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"] +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.parent.name:MSBuild.exe and process.name:(csc.exe or iexplore.exe or powershell.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1500" +name = "Compile After Delivery" +reference = "https://attack.mitre.org/techniques/T1500/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml new file mode 100644 index 000000000..f61eb0557 --- /dev/null +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies possibly suspicious activity using trusted Windows developer activity." +false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Trusted Developer Application Usage" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.name:(MSBuild.exe or msxsl.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml new file mode 100755 index 000000000..62c0856d5 --- /dev/null +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes +used to evade detection or elevate privileges. +""" +false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Process Injection by the Microsoft Build Engine" +risk_score = 21 +rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:MSBuild.exe and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml new file mode 100644 index 000000000..16f644ceb --- /dev/null +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature +validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass +application whitelisting and signature validation. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via Signed Binary" +risk_score = 21 +rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml new file mode 100644 index 000000000..d2022456a --- /dev/null +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/16" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an +attacker as a destructive technique. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Modification of Boot Configuration" +risk_score = 21 +rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:bcdedit.exe and process.args:(/set and (bootstatuspolicy and ignoreallfailures or no and recoveryenabled)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1107" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1107/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml new file mode 100644 index 000000000..c09912710 --- /dev/null +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade +defenses. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential Evasion via Filter Manager" +risk_score = 21 +rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.name:fltMC.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml new file mode 100644 index 000000000..e386d8841 --- /dev/null +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or +other destructive attacks. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Volume Shadow Copy Deletion via VssAdmin" +risk_score = 73 +rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:vssadmin.exe and process.args:(delete and shadows) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml new file mode 100644 index 000000000..b5787d70b --- /dev/null +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or +other destructive attacks. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Volume Shadow Copy Deletion via WMIC" +risk_score = 73 +rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:WMIC.exe and process.args:(delete and shadowcopy) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1107" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1107/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml new file mode 100644 index 000000000..21621e007 --- /dev/null +++ b/rules/windows/discovery_net_command_system_account.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/18" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It +is used in command line operations for control of users, groups, services, and network connections. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Net command via SYSTEM account" +risk_score = 21 +rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:"Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml new file mode 100644 index 000000000..8b5b29c95 --- /dev/null +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Adversaries may attempt to get information about running processes on a system." +false_positives = [ + """ + Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not + indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like + tasklist to get information about running processes. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Process Discovery via Tasklist" +risk_score = 21 +rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.name:tasklist.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml new file mode 100644 index 000000000..5d3694f9c --- /dev/null +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of whoami.exe which displays user, group, and privileges information for the user who is currently logged +on to the local system. +""" +false_positives = [ + """ + Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and + frameworks. Usage by non-engineers and ordinary users is unusual. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Whoami Process Activity" +risk_score = 21 +rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:whoami.exe and event.code:1 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml new file mode 100644 index 000000000..e6a0c394b --- /dev/null +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a +remote URL. +""" +false_positives = [ + """ + Administrators may use the command prompt for regular administrative tasks. It's important to baseline your + environment for network connections being made from the command prompt to determine any abnormal use of this tool. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Command Prompt Network Connection" +risk_score = 21 +rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:cmd.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command-Line Interface" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1105" +name = "Remote File Copy" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml new file mode 100644 index 000000000..bda6ef59f --- /dev/null +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "PowerShell spawning Cmd" +risk_score = 21 +rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.parent.name:powershell.exe and process.name:cmd.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command-Line Interface" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1086" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1086/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml new file mode 100644 index 000000000..3f98c5541 --- /dev/null +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Svchost spawning Cmd" +risk_score = 21 +rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.parent.name:svchost.exe and process.name:cmd.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command-Line Interface" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml new file mode 100644 index 000000000..8082880d4 --- /dev/null +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal +malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable +program (hh.exe). +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via Compiled HTML File" +risk_score = 21 +rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:hh.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1223" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1223/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1223" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1223/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml new file mode 100644 index 000000000..4a29218ec --- /dev/null +++ b/rules/windows/execution_local_service_commands.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary +lateral movement but will be noisy if commonly done by admins. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Local Service Commands" +risk_score = 21 +rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml new file mode 100644 index 000000000..354f376f9 --- /dev/null +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often +leveraged by adversaries to execute code and evade detection. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "MsBuild Making Network Connections" +risk_score = 47 +rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Network connection detected (rule: NetworkConnect)" and process.name:MSBuild.exe and not destination.ip:(127.0.0.1 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml new file mode 100644 index 000000000..2ab44b42d --- /dev/null +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged +by adversaries to execute malicious scripts and evade detection. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via Mshta" +references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"] +risk_score = 47 +rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Network connection detected (rule: NetworkConnect)" and process.name:mshta.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1170" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1170/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml new file mode 100644 index 000000000..76b0b36bf --- /dev/null +++ b/rules/windows/execution_msxsl_network.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged +by adversaries to execute malicious scripts and evade detection. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via MsXsl" +risk_score = 21 +rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:msxsl.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1220" +name = "XSL Script Processing" +reference = "https://attack.mitre.org/techniques/T1220/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml new file mode 100644 index 000000000..eb4e3bf7a --- /dev/null +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral +movement. +""" +false_positives = [ + """ + PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your + environment to determine the amount of noise to expect from this tool. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "PsExec Network Connection" +risk_score = 21 +rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:PsExec.exe and event.action:"Network connection detected (rule: NetworkConnect)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1035" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1035/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1035" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1035/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml new file mode 100644 index 000000000..8ebaf8e71 --- /dev/null +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of +an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary. +""" +false_positives = [ + """ + Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users + is unusual. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Network Connection via Regsvr" +risk_score = 21 +rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:(regsvr32.exe or regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1117" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1117/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1117" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1117/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml new file mode 100644 index 000000000..af48522e0 --- /dev/null +++ b/rules/windows/execution_script_executing_powershell.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes +executing a PowerShell script, may be indicative of malicious activity. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Windows Script Executing PowerShell" +risk_score = 21 +rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(cscript.exe or wscript.exe) and process.name:powershell.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1193" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1193/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml new file mode 100644 index 000000000..bc008c354 --- /dev/null +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -0,0 +1,41 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). +These child processes are often launched during exploitation of Office applications or from documents with malicious +macros. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious MS Office Child Process" +risk_score = 21 +rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or powerpnt.exe or winword.exe) and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1193" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1193/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml new file mode 100644 index 000000000..5331edc98 --- /dev/null +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear +phishing activity. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious MS Outlook Child Process" +risk_score = 21 +rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1193" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1193/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml new file mode 100644 index 000000000..b144d212e --- /dev/null +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/30" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/30" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious child processes of PDF reader applications. These child processes are often launched via +exploitation of PDF applications or social engineering. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Suspicious PDF Reader Child Process" +risk_score = 21 +rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:(AcroRd32.exe or Acrobat.exe or FoxitPhantomPDF.exe or FoxitReader.exe) and process.name:(arp.exe or dsquery.exe or dsget.exe or gpresult.exe or hostname.exe or ipconfig.exe or nbtstat.exe or net.exe or net1.exe or netsh.exe or netstat.exe or nltest.exe or ping.exe or qprocess.exe or quser.exe or qwinsta.exe or reg.exe or sc.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or installutil.exe or Microsoft.Workflow.Compiler.exe or msbuild.exe or mshta.exe or msxsl.exe or odbcconf.exe or rcsi.exe or regsvr32.exe or xwizard.exe or atbroker.exe or forfiles.exe or schtasks.exe or regasm.exe or regsvcs.exe or cmd.exe or cscript.exe or powershell.exe or pwsh.exe or wmic.exe or wscript.exe or bitsadmin.exe or certutil.exe or ftp.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml new file mode 100644 index 000000000..b38117e22 --- /dev/null +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity +and may identify malicious DLLs. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Unusual Network Connection via RunDLL32" +risk_score = 21 +rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:rundll32.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 127.0.0.0/8) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1085" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1085/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml new file mode 100644 index 000000000..5d95a3a7e --- /dev/null +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies network activity from unexpected system applications. This may indicate adversarial activity as these +applications are often leveraged by adversaries to execute code and evade detection. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Unusual Process Network Connection" +risk_score = 21 +rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Network connection detected (rule: NetworkConnect)" and process.name:(Microsoft.Workflow.Compiler.exe or bginfo.exe or cdb.exe or cmstp.exe or csi.exe or dnx.exe or fsi.exe or ieexec.exe or iexpress.exe or odbcconf.exe or rcsi.exe or xwizard.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities" +reference = "https://attack.mitre.org/techniques/T1127/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml new file mode 100644 index 000000000..4492803a7 --- /dev/null +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal +malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable +program (hh.exe). +""" +false_positives = [ + """ + The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that + opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology + to conceal malicious code. + """, +] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Process Activity via Compiled HTML File" +risk_score = 21 +rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.name:hh.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1223" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1223/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1223" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1223/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml new file mode 100644 index 000000000..f7685d521 --- /dev/null +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/03/25" +ecs_version = ["1.5.0"] +maturity = "production" +updated_date = "2020/03/25" + +[rule] +author = ["Elastic"] +description = """ +RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model +(COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows +utility. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Execution via Regsvcs/Regasm" +risk_score = 21 +rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.name:(RegAsm.exe or RegSvcs.exe) and event.action:"Process Create (rule: ProcessCreate)" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1121" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1121/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1121" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1121/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml new file mode 100644 index 000000000..e49c03959 --- /dev/null +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented +over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network +connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or +suspicious user-level processes moving laterally. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Direct Outbound SMB Connection" +risk_score = 47 +rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml new file mode 100644 index 000000000..ac8e3f82e --- /dev/null +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -0,0 +1,37 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "Detects writing executable files that will be automatically launched by Adobe on launch." +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Adobe Hijack Persistence" +risk_score = 21 +rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created (rule: FileCreate)" and not process.name:msiexec.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1044" +name = "File System Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1044/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml new file mode 100644 index 000000000..039beb68a --- /dev/null +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -0,0 +1,38 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." +false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Local Scheduled Task Commands" +risk_score = 21 +rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:schtasks.exe and process.args:(-change or -create or -run or -s or /S or /change or /create or /run) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml new file mode 100644 index 000000000..1979915c1 --- /dev/null +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Windows contains accessibility features that may be launched with a key combination before a user has logged in. An +adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the +system. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential Modification of Accessibility Binaries" +risk_score = 21 +rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1015" +name = "Accessibility Features" +reference = "https://attack.mitre.org/techniques/T1015/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1015" +name = "Accessibility Features" +reference = "https://attack.mitre.org/techniques/T1015/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml new file mode 100644 index 000000000..ace8234cc --- /dev/null +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration +testers may run a shell as a service to gain SYSTEM permissions. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "System Shells via Services" +risk_score = 47 +rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:services.exe and process.name:(cmd.exe or powershell.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1050" +name = "New Service" +reference = "https://attack.mitre.org/techniques/T1050/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml new file mode 100644 index 000000000..eae6cfced --- /dev/null +++ b/rules/windows/persistence_user_account_creation.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or +domain. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "User Account Creation" +risk_score = 21 +rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml new file mode 100644 index 000000000..3ed9ffa42 --- /dev/null +++ b/rules/windows/persistence_via_application_shimming.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +The Application Shim was created to allow for backward compatibility of software as the operating system codebase +changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary +code execution in legitimate Windows processes. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Potential Application Shimming via Sdbinst" +risk_score = 21 +rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.code:1 and process.name:sdbinst.exe +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1138" +name = "Application Shimming" +reference = "https://attack.mitre.org/techniques/T1138/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1138" +name = "Application Shimming" +reference = "https://attack.mitre.org/techniques/T1138/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml new file mode 100644 index 000000000..ea2299caa --- /dev/null +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/03/17" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/03/17" + +[rule] +author = ["Elastic"] +description = """ +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with +elevated permissions. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Bypass UAC via Event Viewer" +risk_score = 21 +rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" +severity = "low" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +process.parent.name:eventvwr.exe and event.action:"Process Create (rule: ProcessCreate)" and not process.executable:("C:\Windows\SysWOW64\mmc.exe" or "C:\Windows\System32\mmc.exe") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1088" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1088/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml new file mode 100644 index 000000000..dbed845fa --- /dev/null +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -0,0 +1,40 @@ +[metadata] +creation_date = "2020/02/18" +ecs_version = ["1.4.0"] +maturity = "production" +updated_date = "2020/02/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange +activity on a system. +""" +index = ["winlogbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Unusual Parent-Child Relationship" +risk_score = 47 +rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" +severity = "medium" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.action:"Process Create (rule: ProcessCreate)" and process.parent.executable:* and (process.name:smss.exe and not process.parent.name:(System or smss.exe) or process.name:csrss.exe and not process.parent.name:(smss.exe or svchost.exe) or process.name:wininit.exe and not process.parent.name:smss.exe or process.name:winlogon.exe and not process.parent.name:smss.exe or process.name:lsass.exe and not process.parent.name:wininit.exe or process.name:LogonUI.exe and not process.parent.name:(wininit.exe or winlogon.exe) or process.name:services.exe and not process.parent.name:wininit.exe or process.name:svchost.exe and not process.parent.name:(MsMpEng.exe or services.exe) or process.name:spoolsv.exe and not process.parent.name:services.exe or process.name:taskhost.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:taskhostw.exe and not process.parent.name:(services.exe or svchost.exe) or process.name:userinit.exe and not process.parent.name:(dwm.exe or winlogon.exe)) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1093" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1093/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +