[New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722)

* bump package version to 7.12

* Auth to Kibana connector using an existing cookie (#711)

* [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules

* ruleID

* fixed process names to include both 32 and 64bits

* fixed process names to include both 32 and 64 bits

* deleted unnecessary condition

* adjusted rule to cover cmd and ps

* renamed rule and fixed tactic

* added rule to SW package - Exporting MailBox with Powershell

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added details to FP tag as sug by JLB

* added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* adjusted desc and FPs

* adjusted alert name as sug by DevK

* Update collection_email_powershell_exchange_mailbox.toml

* Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updated registry to include symlink

* Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added pwsh as sug by Dan

* added pwsh as sug by Dan

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725)

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* fixed - added pwsh to seq_netblock

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Restore packages file

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

rules/windows/collection_email_powershell_exchange_mailbox.toml

@@ -0,0 +1,44 @@
+[metadata]
+creation_date = "2020/12/15"
+maturity = "production"
+updated_date = "2020/12/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or
+archive to a .pst file. Adversaries may target user email to collect sensitive information.
+"""
+false_positives = ["Legitimate exchange system administration activity."]
+index = ["logs-endpoint.events.*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License"
+name = "Exporting Exchange Mailbox via PowerShell"
+references = [
+    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps",
+]
+risk_score = 47
+rule_id = "6aace640-e631-4870-ba8e-5fdda09325db"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+  process.name: ("powershell.exe", "pwsh.exe") and process.args : "New-MailboxExportRequest*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

@@ -0,0 +1,44 @@
+[metadata]
+creation_date = "2020/12/15"
+maturity = "production"
+updated_date = "2020/12/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may
+target user email to collect sensitive information.
+"""
+false_positives = ["Legitimate exchange system administration activity."]
+index = ["logs-endpoint.events.*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License"
+name = "New ActiveSyncAllowedDeviceID Added via PowerShell"
+references = [
+    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps",
+]
+risk_score = 47
+rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+  process.name: ("powershell.exe", "pwsh.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2020/12/14"
+maturity = "production"
+updated_date = "2020/12/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this
+technique to manipulate relevant security services.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "SolarWinds Process Disabling Services via Registry"
+references = [
+    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+]
+risk_score = 47
+rule_id = "b9960fef-82c6-4816-befa-44745030e917"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+type = "eql"
+
+query = '''
+registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings == "4" and
+ process.name : (
+     "SolarWinds.BusinessLayerHost*.exe", 
+     "ConfigurationWizard*.exe", 
+     "NetflowDatabaseMaintenance*.exe", 
+     "NetFlowService*.exe", 
+     "SolarWinds.Administration*.exe", 
+     "SolarWinds.Collector.Service*.exe" , 
+     "SolarwindsDiagnostics*.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1089"
+name = "Disabling Security Tools"
+reference = "https://attack.mitre.org/techniques/T1089/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2020/12/14"
+maturity = "production"
+updated_date = "2020/12/14"
+
+[rule]
+author = ["Elastic"]
+description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
+false_positives = [
+    "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
+]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Command Execution via SolarWinds Process"
+references = [
+    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+    "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
+]
+risk_score = 47
+rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and process.name: ("cmd.exe", "powershell.exe") and
+process.parent.name: (
+     "ConfigurationWizard*.exe",
+     "NetflowDatabaseMaintenance*.exe",
+     "NetFlowService*.exe",
+     "SolarWinds.Administration*.exe",
+     "SolarWinds.Collector.Service*.exe",
+     "SolarwindsDiagnostics*.exe"
+     )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml

@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2020/12/14"
+maturity = "production"
+updated_date = "2020/12/14"
+
+[rule]
+author = ["Elastic"]
+description = "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs."
+false_positives = [
+    "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
+]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Suspicious SolarWinds Child Process"
+references = [
+    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+    "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
+]
+risk_score = 47
+rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+ process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
+ not process.name : (
+        "APMServiceControl*.exe",
+        "ExportToPDFCmd*.Exe",
+        "SolarWinds.Credentials.Orion.WebApi*.exe",
+        "SolarWinds.Orion.Topology.Calculator*.exe",
+        "Database-Maint.exe",
+        "SolarWinds.Orion.ApiPoller.Service.exe",
+        "WerFault.exe",
+        "WerMgr.exe")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1106"
+name = "Native API"
+reference = "https://attack.mitre.org/techniques/T1106/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1195"
+name = "Supply Chain Compromise"
+reference = "https://attack.mitre.org/techniques/T1195/"
+[[rule.threat.technique.subtechnique]]
+id = "T1195.002"
+name = "Compromise Software Supply Chain"
+reference = "https://attack.mitre.org/techniques/T1195/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+