diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 2ba283eec..63059c620 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -23,7 +23,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6* +event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index fd1903a8e..949629c66 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -49,7 +49,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.kind:"event" +event.kind:event ''' diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index c7d7e3001..13bdc463d 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -38,10 +38,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset : "kubernetes.audit_logs" - and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" - and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*) - and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz") +event.dataset:kubernetes.audit_logs + and kubernetes.audit.annotations.authorization_k8s_io/decision:allow + and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) + and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz) ''' diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 6289ca832..3efda02b8 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,15 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/06/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious -directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially -malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to -unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can +directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to +unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. """ from = "now-59m" @@ -26,64 +26,77 @@ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" + query = ''' -host.os.type : "linux" and event.category : "network" and -event.action : ("connection_attempted" or "ipv4_connection_attempt_event") and +host.os.type:linux and event.category:network and +event.action:(connection_attempted or ipv4_connection_attempt_event) and process.executable : ( - /tmp/* or /var/tmp/* or /dev/shm/* or /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or - /etc/update-motd.d/* or /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* or /etc/rc.local) and -source.ip : ( - 127.0.0.0/8 or - 10.0.0.0/8 or - 172.16.0.0/12 or - 192.168.0.0/16 - ) and not destination.ip : ( - 10.0.0.0/8 or - 127.0.0.0/8 or - 169.254.0.0/16 or - 172.16.0.0/12 or - 192.0.0.0/24 or - 192.0.0.0/29 or - 192.0.0.8/32 or - 192.0.0.9/32 or - 192.0.0.10/32 or - 192.0.0.170/32 or - 192.0.0.171/32 or - 192.0.2.0/24 or - 192.31.196.0/24 or - 192.52.193.0/24 or - 192.168.0.0/16 or - 192.88.99.0/24 or - 224.0.0.0/4 or - 100.64.0.0/10 or - 192.175.48.0/24 or - 198.18.0.0/15 or - 198.51.100.0/24 or - 203.0.113.0/24 or - 240.0.0.0/4 or - "::1" or - "FE80::/10" or - "FF00::/8" - ) and not process.executable : ( - "/usr/bin/wget" or - "/usr/bin/curl" or - "/usr/bin/apt" or - "/usr/bin/dpkg" or - "/usr/bin/yum" or - "/usr/bin/rpm" or - "/usr/bin/dnf" or - "/usr/bin/dockerd" - ) + (/etc/crontab or + /etc/rc.local or + /boot/* or + /dev/shm/* or + /etc/cron.*/* or + /etc/init.d/* or + /etc/rc*.d/* or + /etc/update-motd.d/* or + /home/*/.* or + /run/* or + /srv/* or + /tmp/* or + /usr/lib/update-notifier/* or + /var/tmp/*) and + not (/usr/bin/apt or + /usr/bin/curl or + /usr/bin/dnf or + /usr/bin/dockerd or + /usr/bin/dpkg or + /usr/bin/rpm or + /usr/bin/wget or + /usr/bin/yum) + ) +and source.ip : ( + 10.0.0.0/8 or + 127.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16) and + not destination.ip : ( + 10.0.0.0/8 or + 100.64.0.0/10 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.2.0/24 or + 192.168.0.0/16 or + 192.175.48.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.88.99.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 224.0.0.0/4 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -92,7 +105,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-2d" + + diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 7fbf40bc2..f4ed4950a 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -29,10 +29,13 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and host.os.type:linux and event.type:change and - process.name:* and - (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and - not process.name:("dpkg" or "yum" or "dnf" or "dnf-automatic") +event.category:file and host.os.type:linux and event.type:change and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and + (file.path:(/usr/bin/scp or + /usr/bin/sftp or + /usr/bin/ssh or + /usr/sbin/sshd) or + file.name:libkeyutils.so) ''' @@ -48,7 +51,6 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,21 +63,8 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - - - [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1563" -name = "Remote Service Session Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/" -[[rule.threat.technique.subtechnique]] -id = "T1563.001" -name = "SSH Hijacking" -reference = "https://attack.mitre.org/techniques/T1563/001/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -85,7 +74,20 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 5554e6077..dccb41bcf 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,16 +4,16 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/06/09" +updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object -file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While -this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute -unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows -malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the +This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object +file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While +this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute +unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows +malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. """ from = "now-9m" @@ -21,9 +21,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Shared Object Created or Changed by Previously Unknown Process" -references = [ - "https://threatpost.com/sneaky-malware-backdoors-linux/180158/" -] +references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"] risk_score = 47 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" severity = "medium" @@ -32,23 +30,25 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type : "linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : (/usr/lib/* or /dev/shm/*) and file.extension : "so" and process.name : * and not -process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "5") +host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and +process.name:(* and not (5 or dockerd or dpkg or rpm or snapd)) ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -57,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 3cdf8e1b7..0ac2b0978 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -29,21 +29,20 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:macos and event.type:start and - process.name:launchctl and - process.args:(setenv and not (JAVA*_HOME or - RUNTIME_JAVA_HOME or - DBUS_LAUNCHD_SESSION_BUS_SOCKET or - ANT_HOME or - LG_WEBOS_TV_SDK_HOME or - WEBOS_CLI_TV or - EDEN_ENV) - ) and - not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or - "/usr/local/bin/kr" or - "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or - "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper") and - not process.args : "*.vmoptions" +event.category:process and host.os.type:macos and event.type:start and + process.name:launchctl and + process.args:(setenv and not (ANT_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + EDEN_ENV or + LG_WEBOS_TV_SDK_HOME or + RUNTIME_JAVA_HOME or + WEBOS_CLI_TV or + JAVA*_HOME) and + not *.vmoptions) and + not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /usr/local/bin/kr) ''' diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 3400980fc..7e820e8d8 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos +event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip ''' diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index 70a23a815..5e37703bb 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -74,8 +74,8 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo ``` """ references = [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", - "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1", ] risk_score = 47 rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" @@ -85,17 +85,14 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:windows and - (powershell.file.script_block_text : ( - "Windows.Clipboard" or - "Windows.Forms.Clipboard" or - "Windows.Forms.TextBox" - ) and - powershell.file.script_block_text : ( - "]::GetText" or - ".Paste()" - )) or powershell.file.script_block_text : "Get-Clipboard" - and not user.id : "S-1-5-18" +event.category:process and host.os.type:windows and + powershell.file.script_block_text:((Windows.Clipboard or + Windows.Forms.Clipboard or + Windows.Forms.TextBox) and + (".Paste()" or + "]::GetText")) or + powershell.file.script_block_text:Get-Clipboard and + not user.id:S-1-5-18 ''' diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 89de30350..1890c8b95 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -85,14 +85,23 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:windows and - ( - powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or - powershell.file.script_block_text : ( - (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and - (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL") - ) - ) and not user.id : "S-1-5-18" +event.category:process and host.os.type:windows and +powershell.file.script_block_text : ( + Get-Keystrokes or GetAsyncKeyState or GetKeyboardState or NtUserGetAsyncKeyState or + ( + NtUserSetWindowsHookEx or + SetWindowsHookA or + SetWindowsHookEx or + SetWindowsHookExA or + SetWindowsHookW + ) and + ( + GetForegroundWindow or + GetWindowTextA or + GetWindowTextW or + WM_KEYBOARD_LL) + ) +and not user.id:S-1-5-18 ''' diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index f5cae31a9..ac867e4cd 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -86,18 +86,13 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:windows and - ( - powershell.file.script_block_text : ( - "Microsoft.Office.Interop.Outlook" or - "Interop.Outlook.olDefaultFolders" or - "::olFolderInBox" - ) or - powershell.file.script_block_text : ( - "Microsoft.Exchange.WebServices.Data.Folder" or - "Microsoft.Exchange.WebServices.Data.FileAttachment" - ) - ) +event.category:process and host.os.type:windows and +powershell.file.script_block_text : ( + "::olFolderInBox" or + Interop.Outlook.olDefaultFolders or + Microsoft.Exchange.WebServices.Data.FileAttachment or + Microsoft.Exchange.WebServices.Data.Folder or + Microsoft.Office.Interop.Outlook) ''' @@ -107,7 +102,6 @@ framework = "MITRE ATT&CK" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -118,26 +112,27 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 85666af1d..957d35a34 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -104,26 +104,25 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:"process" and host.os.type:windows and - (powershell.file.script_block_text : - ("System.Management.Automation.AmsiUtils" or - amsiInitFailed or - "Invoke-AmsiBypass" or - "Bypass.AMSI" or - "amsi.dll" or - AntimalwareProvider or - amsiSession or - amsiContext or - "System.Management.Automation.ScriptBlock" or - AmsiInitialize or - unloadobfuscated or - unloadsilent or - AmsiX64 or - AmsiX32 or - FindAmsiFun) or - powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or - powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") - ) +event.category:process and host.os.type:windows and +powershell.file.script_block_text : ( + AmsiInitialize or + AmsiX32 or + AmsiX64 or + AntimalwareProvider or + Bypass.AMSI or + FindAmsiFun or + Invoke-AmsiBypass or + System.Management.Automation.AmsiUtils or + System.Management.Automation.ScriptBlock or + amsi.dll or + amsiContext or + amsiInitFailed or + amsiSession or + unloadobfuscated or + unloadsilent or + VirtualProtect and "[System.Runtime.InteropServices.Marshal]::Copy" or + ".SetValue(" and "[Ref].Assembly.GetType(('System.Management.Automation") ''' diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 12c2c8204..6d98fcce9 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -26,44 +26,39 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:windows and - powershell.file.script_block_text : ( - ( - "Cryptography.AESManaged" or - "Cryptography.RijndaelManaged" or - "Cryptography.SHA1Managed" or - "Cryptography.SHA256Managed" or - "Cryptography.SHA384Managed" or - "Cryptography.SHA512Managed" or - "Cryptography.SymmetricAlgorithm" or - "PasswordDeriveBytes" or - "Rfc2898DeriveBytes" - ) and - ( - CipherMode and PaddingMode - ) and - ( - ".CreateEncryptor" or - ".CreateDecryptor" - ) - ) and not user.id : "S-1-5-18" +event.category:process and host.os.type:windows and +powershell.file.script_block_text : ( + CipherMode and + PaddingMode and + ( + Cryptography.AESManaged or + Cryptography.RijndaelManaged or + Cryptography.SHA1Managed or + Cryptography.SHA256Managed or + Cryptography.SHA384Managed or + Cryptography.SHA512Managed or + Cryptography.SymmetricAlgorithm or + PasswordDeriveBytes or + Rfc2898DeriveBytes + ) and (.CreateDecryptor or .CreateEncryptor)) and not user.id:S-1-5-18 ''' [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index a7875c395..c05244379 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -59,7 +59,7 @@ class TestValidRules(BaseRuleTest): def test_all_rule_queries_optimized(self): """Ensure that every rule query is in optimized form.""" for rule in self.production_rules: - if rule.contents.data.get("language") == "kql": + if rule.contents.data.get("language") == "kuery": source = rule.contents.data.query tree = kql.parse(source, optimize=False) optimized = tree.optimize(recursive=True)