security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] 3rd Party EDR Compatibility - 17 (#4042)

Browse Source 
* [Rule Tuning] 3rd Party EDR Compatibility - 17

* Update rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2024-10-13 18:34:22 -03:00
committed by GitHub
parent 7385f9dd2e
commit 6f69b33529
13 changed files with 116 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_rogue_windir_environment_var.toml
+12 -4
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/26"
integration = ["endpoint"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies a privilege escalation attempt via a rogue Windows directory (Windir)
primitive that is often combined with other vulnerabilities to elevate privileges.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Privilege Escalation via Windir Environment Variable"
@@ -27,6 +29,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -39,8 +43,12 @@ registry.path : (
"HKEY_USERS\\*\\Environment\\systemroot",
"HKU\\*\\Environment\\windir",
"HKU\\*\\Environment\\systemroot",
"HKCU\\*\\Environment\\windir",
"HKCU\\*\\Environment\\systemroot",
"\\REGISTRY\\USER\\*\\Environment\\windir",
"\\REGISTRY\\USER\\*\\Environment\\systemroot"
"\\REGISTRY\\USER\\*\\Environment\\systemroot",
"USER\\*\\Environment\\windir",
"USER\\*\\Environment\\systemroot"
) and
not registry.data.strings : ("C:\\windows", "%SystemRoot%")
'''
rules/windows/privilege_escalation_service_control_spawned_script_int.toml
+12 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "system", "windows"]
integration = ["endpoint", "system", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
[transform]
[[transform.osquery]]
@@ -33,7 +33,14 @@ Identifies Service Control (sc.exe) spawning from script interpreter processes t
This can potentially indicate an attempt to elevate privileges or maintain persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
index = [
"logs-endpoint.events.process-*",
"logs-system.security*",
"winlogbeat-*",
"logs-windows.forwarded*",
"endgame-*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
name = "Service Control Spawned via Script Interpreter"
@@ -91,6 +98,7 @@ tags = [
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -99,7 +107,7 @@ query = '''
/* This rule is not compatible with Sysmon due to user.id issues */
process where host.os.type == "windows" and event.type == "start" and
(process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and
(process.name : "sc.exe" or ?process.pe.original_file_name == "sc.exe") and
process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe",
"wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and
process.args:("config", "create", "start", "delete", "stop", "pause") and
rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/28"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,21 +13,13 @@ Identifies attempts to bypass User Account Control (UAC) by abusing an elevated
ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface"
references = ["https://github.com/hfiref0x/UACME"]
risk_score = 73
rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -37,6 +31,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/11/03"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,21 +13,13 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM
program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer"
references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"]
risk_score = 47
rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -37,6 +31,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
+4 -11
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/10/19"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
@@ -11,20 +11,12 @@ Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevate
to bypass UAC to stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass via ICMLuaUtil Elevated COM Interface"
risk_score = 73
rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -36,6 +28,7 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/08/18"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -14,23 +16,18 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
risk_score = 47
rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -42,6 +39,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/27"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -11,7 +13,7 @@ Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. A
stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface"
@@ -21,14 +23,6 @@ references = [
]
risk_score = 73
rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -39,6 +33,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
+10 -12
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/03/17"
integration = ["endpoint", "windows", "system", "m365_defender"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -40,10 +42,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*"
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -104,14 +108,6 @@ During startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\
"""
risk_score = 73
rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -124,6 +120,8 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/26"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -40,9 +42,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -103,14 +108,6 @@ This rule identifies an attempt to bypass User Account Control (UAC) by masquera
references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"]
risk_score = 73
rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = [
"Domain: Endpoint",
@@ -122,6 +119,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/14"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -37,7 +39,7 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros
Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "UAC Bypass via Windows Firewall Snap-In Hijack"
@@ -97,14 +99,6 @@ This rule identifies attempts to bypass User Account Control (UAC) by hijacking
references = ["https://github.com/AzAgarampur/byeintegrity-uac"]
risk_score = 47
rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -116,6 +110,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_unquoted_service_path.toml
+10 -3
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2023/07/13"
integration = ["endpoint"]
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -12,7 +14,7 @@ higher-level directory within the path of an unquoted service executable, Window
from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
@@ -25,6 +27,11 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Data Source: Elastic Endgame",
"Data Source: Sysmon",
"Data Source: System",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+11 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system"]
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/09/23"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[transform]
[[transform.osquery]]
@@ -40,9 +42,12 @@ from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
@@ -104,14 +109,6 @@ references = [
]
risk_score = 47
rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -122,6 +119,9 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"
rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
+7 -11
View File
@@ -1,8 +1,10 @@
[metadata]
creation_date = "2020/10/13"
integration = ["endpoint", "windows"]
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/10/10"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
[rule]
author = ["Elastic"]
@@ -12,20 +14,12 @@ This may indicate a code injection or an equivalent form of exploitation.
"""
false_positives = ["Changes to Windows services or a rarely executed child process."]
from = "now-9m"
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual Service Host Child Process - Childless Service"
risk_score = 47
rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
setup = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
@@ -36,6 +30,8 @@ tags = [
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
]
timestamp_override = "event.ingested"
type = "eql"