diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 3e7e48176..d74125192 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/07/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana language = "eql" license = "Elastic License v2" name = "Tampering of Shell Command-Line History" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" setup = """## Setup diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index c872f64da..62a96f31e 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -48,6 +48,7 @@ references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", ] risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 7b5890723..d6509cbfe 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Potential Privilege Escalation via Sudoers File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 1bc428d0f..d23c49086 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/19" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "SUID/SGID Bit Set" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" @@ -32,6 +33,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or @@ -48,24 +50,24 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -73,3 +75,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 23c493369..b0d2ae7d5 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Sudoers File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 86533f3e5..c8d56a9db 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -1,27 +1,30 @@ [metadata] creation_date = "2024/06/03" -maturity = "production" integration = ["fim"] -updated_date = "2024/07/09" +maturity = "production" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are -commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for -cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, -init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the -paths specified in the query need to be added to the FIM policy in the Elastic Security app. +commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron +jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init +daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths +specified in the query need to be added to the FIM policy in the Elastic Security app. """ from = "now-9m" index = ["logs-fim.event-*", "auditbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Persistence via File Modification" +references = [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98" -setup = """ -## Setup +setup = """## Setup This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration. @@ -46,10 +49,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: File Integrity Monitoring" + "Data Source: File Integrity Monitoring", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and file.path : ( @@ -112,29 +116,39 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -144,51 +158,42 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" -[[rule.threat.technique]] -id = "T1136" -name = "Create Account" -reference = "https://attack.mitre.org/techniques/T1136/" -[[rule.threat.technique.subtechnique]] -id = "T1136.001" -name = "Local Account" -reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 3b0bb139b..8b50df9d3 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/1247799?hl=en"] +references = [ + "https://support.google.com/a/answer/1247799?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 2f9485b97..8b3387a9e 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2685650?hl=en"] +references = [ + "https://support.google.com/a/answer/2685650?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" + ] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 32ca30997..5af838db9 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/drive/answer/2494822"] +references = [ + "https://support.google.com/drive/answer/2494822", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc" severity = "high" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 422ba0189..ba8f4a4f7 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 1b92225d2..50b9fd776 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6160020?hl=en"] +references = [ + "https://support.google.com/a/answer/6160020?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0" severity = "high" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index e16f5f512..3da71e49a 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index 96946ea3b..35730889f 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/07/10" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -35,6 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = [ "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2", ] diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index e8e9160fc..09ecde61c 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6089179?hl=en"] +references = [ + "https://support.google.com/a/answer/6089179?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index 65f289b26..bdf24ad32 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2023/01/15" integration = ["google_workspace"] maturity = "production" promotion = true -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -31,7 +31,11 @@ note = """## Setup This is a promotion rule for Google Workspace security events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events. """ -references = ["https://workspace.google.com/products/admin/alert-center/"] +references = [ + "https://workspace.google.com/products/admin/alert-center/", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 747f1ff2f..b55c25913 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf" severity = "medium" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 9999e04f1..5c62a0f8b 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en#"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index c023a887b..9da5f0902 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/33329"] +references = [ + "https://support.google.com/a/answer/33329", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" severity = "medium" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index 379476c08..a1022b5fa 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/1110339"] +references = [ + "https://support.google.com/a/answer/1110339", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 039e134fa..1a25f272c 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,6 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" references = [ "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links", ] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index d7eb4ce55..90cf5ef9b 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 0d47da77d..4647fb4ae 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/9176657?hl=en"] +references = [ + "https://support.google.com/a/answer/9176657?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 78b80ba64..a23661911 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/172176?hl=en"] +references = [ + "https://support.google.com/a/answer/172176?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 73 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" severity = "high" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index da1d420be..2a59b14ea 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/06/28" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -75,7 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"] +references = [ + "https://developers.google.com/admin-sdk/directory/v1/guides/delegation", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 1a5b51af5..643c9d27e 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two", +] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 6181ee74c..986aac4bd 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -77,6 +77,11 @@ The Google Workspace Fleet integration, the Filebeat module, or data that's simi - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index fae520fa6..040e19fdd 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/2406043?hl=en"] +references = [ + "https://support.google.com/a/answer/2406043?hl=en", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index bec056960..cb0bc8fec 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -80,7 +80,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" -references = ["https://support.google.com/a/answer/6328701?hl=en#"] +references = [ + "https://support.google.com/a/answer/6328701?hl=en#", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" severity = "low" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 098cfa615..8bc3d0512 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -75,6 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured - See the following references for further information: - https://support.google.com/a/answer/7061566 - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html""" +references = [ + "https://support.google.com/a/answer/7061566", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", + "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two" +] risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 9c8bc89db..de5419e05 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 784415774..4f0f19a95 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 97acf978e..e27551037 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -67,6 +67,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd" diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 486885bc9..ebac26098 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." min_stack_version = "8.13.0" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -60,6 +60,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml index f7cca9246..677879fda 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." min_stack_version = "8.13.0" -updated_date = "2024/06/20" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -72,7 +72,9 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index e1ee710f5..1ed87515d 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." min_stack_version = "8.13.0" -updated_date = "2024/06/20" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -69,7 +69,9 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 028c53515..c1bfee110 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 4928a9685..fc158cefe 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -55,6 +55,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd" diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml index f9f9898d7..45d74b9e8 100644 --- a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." min_stack_version = "8.13.0" -updated_date = "2024/06/20" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -72,7 +72,9 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "23f18264-2d6d-11ef-9413-f661ea17fbce" diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 3805fbaab..f65e4fc0c 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ad52a9a46..5b1c06e50 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -51,6 +51,9 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index ce7bba717..ea048dfbf 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 46ef83fbb..a89e190f8 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 9fdcb0c41..ce3bbd28b 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2024/09/11" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ license = "Elastic License v2" name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials" references = [ "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", - "https://developer.okta.com/docs/reference/api/event-types/" + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index acd680fa6..30acf1a49 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -66,6 +66,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 36613952a..b50418ba1 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index cce0b1165..063a09b17 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -66,6 +66,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index ed5c99bdb..ecdabb221 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 59904f601..6ee1d50fa 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -64,6 +64,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index c41eaf5ac..b485eec06 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -54,6 +54,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index aaa03a77d..f541558e5 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -63,6 +63,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 81b03d599..92eed04d4 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -56,6 +56,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 4206790ee..e21246c5d 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -52,6 +52,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index bb616b52b..0d2319adf 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -56,6 +56,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 491434bdc..b18b13630 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -27,6 +27,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 54eebeb0a..8a3a84e77 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index df11b192b..e85d11099 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index c43477fdb..8fc9d03ca 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -45,6 +45,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 7cf72503b..7623ecd5c 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -50,6 +50,8 @@ references = [ "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 054c5ca07..066c2b4a7 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Austin Songer"] @@ -24,6 +24,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index cca876385..47a853e21 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic", "Austin Songer"] @@ -18,6 +18,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index d141880ba..33b4574cf 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." min_stack_version = "8.13.0" -updated_date = "2024/06/20" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -64,6 +64,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index a752278a6..c127cd0f9 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index d029b99e5..272dfd211 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -22,6 +22,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 31391fa33..33289094c 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -26,6 +26,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 163765359..b90248f51 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -30,6 +30,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 41a42b3ea..9b1bc5e9e 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -29,6 +29,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 509a3b9c5..2631bf293 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -29,6 +29,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 21dae60ef..2996475c4 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index ba2223c67..3a6ad0886 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,9 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", ] risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index edbca91a4..fd8f45c98 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -57,6 +57,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 4192b2904..075937b53 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -54,6 +54,8 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b751ae40e..e437c4fd7 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -28,6 +28,8 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index a4901c38e..07ead8b7c 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ references = [ "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", ] risk_score = 73 rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index b6fe8c380..b9f2ca63f 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable IPTables or Firewall" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" setup = """## Setup @@ -74,20 +75,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 78771aa6d..a93d4c199 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" +references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"] risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" setup = """## Setup diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index 17ded6486..b53a07c4d 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,21 +2,24 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/31" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries -to evade detection. Copying a system binary to a different location should not occur often, so if it does, the -activity should be investigated. +This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to +evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity +should be investigated. """ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "System Binary Moved or Copied" -references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"] +references = [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6" setup = """## Setup @@ -54,6 +57,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.Ext.original.path : ( @@ -87,25 +91,27 @@ file.Ext.original.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename System Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index c18de6fb4..391cd6f5e 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ license = "Elastic License v2" name = "System Log File Deletion" references = [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", ] risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" @@ -92,20 +93,22 @@ file where host.os.type == "linux" and event.type == "deletion" and not process.name in ("gzip", "executor", "dockerd") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" - [[rule.threat.technique.subtechnique]] id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index 73fd48e34..131a1e897 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "SUID/SGUID Enumeration Detected" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" setup = """## Setup diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 61a81cc9c..364f6df1e 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,14 +2,14 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/25" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is -used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an -attacker is attempting to establish persistence in a YUM or DNF plugin. +This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used +to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is +attempting to establish persistence in a YUM or DNF plugin. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -17,8 +17,9 @@ language = "eql" license = "Elastic License v2" name = "Yum/DNF Plugin Status Discovery" references = [ - "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", - "https://pwnshift.github.io/2020/10/01/persistence.html" + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://pwnshift.github.io/2020/10/01/persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "78390eb5-c838-4c1d-8240-69dd7397cfb7" @@ -54,6 +55,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "grep" and process.args : "plugins*" and process.args : ( @@ -62,15 +64,17 @@ process.name == "grep" and process.args : "plugins*" and process.args : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index 205b2b1e1..6dd51edc0 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*" language = "eql" license = "Elastic License v2" name = "Network Connection from Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756" setup = """## Setup diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 648294234..d3fb45fdd 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -87,6 +87,7 @@ references = [ "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 789d77cf1..c279ac889 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,6 +16,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "Potential Meterpreter Reverse Shell" +references = [ + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" setup = """## Setup diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0a453512b..e4c42a2a1 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,8 @@ license = "Elastic License v2" name = "Potential Reverse Shell via UDP" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", ] risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 35f465824..72ddcdf21 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "kuery" license = "Elastic License v2" name = "Unknown Execution of Binary with RWX Memory Region" -references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"] +references = [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html", + "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd", +] risk_score = 47 rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0" setup = """## Setup @@ -58,19 +61,20 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -79,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 3e1ab66f5..129eef327 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Execution" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005" setup = """## Setup @@ -75,50 +76,48 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -126,3 +125,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 25ba3771a..0ff8b8a97 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "APT Package Manager Configuration File Creation" -references = ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"] +references = [ + "https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/etc/apt/apt.conf.d/*" and not ( @@ -84,34 +88,34 @@ file.path : "/etc/apt/apt.conf.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -119,3 +123,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 212eef6db..4fbac8005 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c" setup = """## Setup @@ -77,34 +78,34 @@ sequence by host.id with maxspan=5s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -112,7 +113,6 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -120,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index 765b41883..cebef39e6 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "At Job Created or Modified" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "84755a05-78c8-4430-8681-89cd6c857d71" setup = """## Setup @@ -56,6 +57,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/*" and not ( @@ -78,56 +80,56 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/* ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 456ee5921..144d4f96a 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -135,6 +135,7 @@ This rule monitors the creation of cron jobs by monitoring for file creation and """ references = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 0592e8ee0..00531a50e 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "DNF Package Manager Plugin File Creation" -references = ["https://pwnshift.github.io/2020/10/01/persistence.html"] +references = [ + "https://pwnshift.github.io/2020/10/01/persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "3fe4e20c-a600-4a86-9d98-3ecb1ef23550" setup = """## Setup @@ -58,6 +61,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not ( @@ -81,34 +85,34 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 49a478b68..b9ef7388d 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -136,6 +136,8 @@ This rule monitors for the creation of the most common system-wide configuration references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 3c2a8be62..74aeb6581 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,21 +2,24 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/15" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git -executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute -arbitrary commands on the system and establish persistence. +executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary +commands on the system and establish persistence. """ from = "now-9m" index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Git Hook Command Execution" -references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"] +references = [ + "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "dc61f382-dc0c-4cc0-a845-069f2a071704" setup = """## Setup @@ -55,6 +58,7 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" + query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -65,9 +69,9 @@ sequence by host.id with maxspan=3s process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -78,29 +82,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -108,3 +111,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 6b2db4215..7222f3faf 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/26" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Git Hook Created or Modified" -references = ["https://git-scm.com/docs/githooks/2.26.0"] +references = [ + "https://git-scm.com/docs/githooks/2.26.0", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "ac531fcc-1d3b-476d-bbb5-1357728c9a37" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and file.extension == null and process.executable != null and not ( @@ -77,9 +81,9 @@ file.extension == null and process.executable != null and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -90,29 +94,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -120,3 +123,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 9ff0fd8a7..9e7e71207 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/15" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*", "logs-endpoint.events.network*"] language = "eql" license = "Elastic License v2" name = "Git Hook Egress Network Connection" -references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"] +references = [ + "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "9822c5a1-1494-42de-b197-487197bb540c" setup = """## Setup @@ -56,6 +59,7 @@ tags = [ "Data Source: Elastic Defend", ] type = "eql" + query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -73,9 +77,9 @@ sequence by host.id with maxspan=3s ] by process.parent.entity_id ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +90,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +119,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 8caf97ff3..106d3ee1d 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/26" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Git Hook Child Process" -references = ["https://git-scm.com/docs/githooks/2.26.0"] +references = [ + "https://git-scm.com/docs/githooks/2.26.0", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "7ce5e1c7-6a49-45e6-a101-0720d185667f" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( "applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit", @@ -73,9 +77,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) and not process.name in ("git", "dirname") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -86,29 +90,28 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +119,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index ef21a58c3..7b02bcdfb 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -30,6 +30,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -109,6 +110,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" @@ -149,6 +151,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") and file.path : "/etc/init.d/*" and not ( @@ -172,15 +175,17 @@ and file.path : "/etc/init.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index e3e716a8f..a29210578 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -151,6 +151,7 @@ references = [ "https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index cf4f8a430..ef29d7ff1 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -87,6 +87,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" setup = """## Setup diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index be5b7c048..0d580e43d 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -77,6 +77,7 @@ This rule identifies the usages of `groupadd` and `addgroup` to create new group - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" setup = """## Setup diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 0806394a0..fe3149e23 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -76,6 +76,7 @@ This rule identifies the usage of `useradd` and `adduser` to create new accounts - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" setup = """## Setup diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index d08a4139b..259b2283c 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -79,6 +79,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" setup = """## Setup diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 585569c52..a2d5969ed 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -30,6 +30,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -37,8 +38,8 @@ This rule detects the creation of potentially malicious files within the default day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create -malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing -a backdoor script or command. +malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a +backdoor script or command. """ from = "now-9m" index = ["logs-endpoint.events.file*"] @@ -105,6 +106,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` """ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" @@ -144,6 +146,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : "/etc/update-motd.d/*" and not ( @@ -168,15 +171,17 @@ file.path : "/etc/update-motd.d/*" and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index aff47b449..bdc886bc4 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,15 +2,15 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/30" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -This rule monitors for the addition of an executable bit for scripts that are located in directories which are -commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up -within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set -interval to gain persistence onto the system. +This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly +abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your +environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain +persistence onto the system. """ from = "now-9m" index = ["logs-endpoint.events.process*", "endgame-*"] @@ -21,6 +21,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "94418745-529f-4259-8d25-a713a6feb6ae" @@ -56,10 +57,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.args : ( @@ -81,40 +83,42 @@ process.args : ( ) and not process.parent.executable : "/var/lib/dpkg/*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.013" name = "XDG Autostart Entries" reference = "https://attack.mitre.org/techniques/T1547/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 17927befe..6a62b00b7 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,16 +2,16 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute -malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," -"No such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file -has been tampered with. +malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," "No +such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file has +been tampered with. """ from = "now-9m" index = ["logs-system.syslog-*"] @@ -22,6 +22,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 21 rule_id = "69c116bb-d86f-48b0-857d-3648511a6cac" @@ -47,33 +48,31 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", -] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" + query = ''' host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and message:("Connection refused" or "No such file or directory" or "command not found") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index 55ce9d6df..0027fc212 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "7318affb-bfe8-4d50-a425-f617833be160" @@ -58,29 +59,32 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.args == "/etc/rc.local" and process.parent.args == "start" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index cd66c0077..b1e95625e 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -24,6 +24,7 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -101,6 +102,7 @@ references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" @@ -165,20 +167,22 @@ file.path in ("/etc/rc.local", "/etc/rc.common") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index dac44fc63..028902e20 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Shell Configuration Creation or Modification" -references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"] +references = [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "28f6f34b-8e16-487a-b5fd-9d22eb903db8" setup = """## Setup @@ -52,10 +55,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( // system-wide configurations @@ -95,20 +99,22 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_ssh_key_generation.toml b/rules/linux/persistence_ssh_key_generation.toml index f3f0f0360..39724968b 100644 --- a/rules/linux/persistence_ssh_key_generation.toml +++ b/rules/linux/persistence_ssh_key_generation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/08" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "SSH Key Generated via ssh-keygen" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "7df3cb8b-5c0c-4228-b772-bb6cd619053c" severity = "low" @@ -31,54 +32,56 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and not file.name : "known_hosts.*" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + [[rule.threat.technique]] id = "T1563" name = "Remote Service Session Hijacking" reference = "https://attack.mitre.org/techniques/T1563/" - [[rule.threat.technique.subtechnique]] id = "T1563.001" name = "SSH Hijacking" reference = "https://attack.mitre.org/techniques/T1563/001/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 5273d85f3..96c14581e 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/03" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,11 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Execution via XZBackdoor" -references = ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"] +references = [ + "https://github.com/amlweems/xzbot", + "https://access.redhat.com/security/cve/CVE-2024-3094", + "https://www.elastic.co/security-labs/500ms-to-midnight", +] risk_score = 73 rule_id = "7afc6cc9-8800-4c7f-be6b-b688d2dea248" severity = "high" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 91fe05517..b54e71bb3 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/19" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Systemd Generator Created" -references = ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"] +references = [ + "https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "39c06367-b700-4380-848a-cab06e7afede" setup = """## Setup @@ -53,10 +56,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/run/systemd/system-generators/*", "/etc/systemd/system-generators/*", @@ -81,38 +85,39 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 3e772d311..311211a1f 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -12,11 +12,11 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' -OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' -OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE +'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE +'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR +path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,9 +27,9 @@ file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path +LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' +OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -40,6 +40,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -115,6 +116,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati references = [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" @@ -154,6 +156,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", @@ -184,20 +187,22 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index e5b77cf1a..2833777b7 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -12,11 +12,11 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' -OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' -OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE +'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE +'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR +path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,9 +27,9 @@ file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE -'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') +LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path +LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' +OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -56,6 +56,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -144,6 +145,7 @@ This rule monitors the creation of new systemd service files, potentially indica """ references = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" @@ -179,10 +181,11 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", @@ -215,38 +218,39 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 505f5f00c..5c7ffea22 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -135,6 +135,7 @@ This rule monitors the execution of the systemctl binary to start, enable or ree references = [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "b605f262-f7dc-41b5-9ebc-06bafe7a83b6" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index 5b9acb7f7..df2279c94 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Systemd-udevd Rule File Creation" +references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 21 rule_id = "054db96b-fd34-43b3-9af2-587b3bd33964" setup = """## Setup @@ -51,10 +52,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and file.extension == "rules" and @@ -82,20 +84,22 @@ file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" -[[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index a8f2d3bb9..3c1f2b769 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,19 +2,20 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/07/11" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux -systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system. +systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] language = "eql" license = "Elastic License v2" name = "User or Group Creation/Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "fcf733d5-7801-4eb0-92ac-8ffacf3658f2" setup = """## Setup @@ -66,25 +67,28 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and event.action in ("changed-password", "added-user-account", "added-group-account-to") ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_user_password_change.toml b/rules/linux/persistence_user_password_change.toml index 6c0185b99..ec53be1c3 100644 --- a/rules/linux/persistence_user_password_change.toml +++ b/rules/linux/persistence_user_password_change.toml @@ -2,20 +2,21 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password -change or user addition event. Threat actors may attempt to create new users or change the password of a user -account to maintain access to a system. +change or user addition event. Threat actors may attempt to create new users or change the password of a user account to +maintain access to a system. """ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Shadow File Modification" +references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "cdf1a39b-1ca5-4e2a-9739-17fc4d026029" setup = """## Setup @@ -51,37 +52,39 @@ tags = [ "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.path == "/etc/shadow" and file.Ext.original.path != null ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index b7bfd566e..f9a894844 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,15 +2,15 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based -Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. -This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts -to establish persistence on the system. +Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux +distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule +helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish +persistence on the system. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -18,8 +18,9 @@ language = "eql" license = "Elastic License v2" name = "Network Connections Initiated Through XDG Autostart Entry" references = [ - "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", - "https://hadess.io/the-art-of-linux-persistence/" + "https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", + "https://hadess.io/the-art-of-linux-persistence/", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] risk_score = 47 rule_id = "dd52d45a-4602-4195-9018-ebe0f219c273" @@ -69,10 +70,11 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -96,20 +98,22 @@ sequence by host.id, process.entity_id with maxspan=1s ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [[rule.threat.technique.subtechnique]] id = "T1547.013" name = "XDG Autostart Entries" reference = "https://attack.mitre.org/techniques/T1547/013/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index 7bb523abc..59930d14b 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,12 +2,12 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/09" +updated_date = "2024/09/23" [rule] author = ["Elastic"] description = """ -Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, +Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued @@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Yum Package Manager Plugin File Creation" -references = ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"] +references = [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 21 rule_id = "0b15bcad-aff1-4250-a5be-5d1b7eb56d07" setup = """## Setup @@ -57,6 +60,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( @@ -81,34 +85,34 @@ file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - -[[rule.threat.technique.subtechnique]] -id = "T1546.016" -name = "Installer Packages" -reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -116,3 +120,4 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index b846122f6..2423ff060 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/17" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -17,7 +17,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via SUID/SGID" -references = ["https://gtfobins.github.io/#+suid"] +references = [ + "https://gtfobins.github.io/#+suid", + "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", +] risk_score = 47 rule_id = "28eb3afe-131d-48b0-a8fc-9784f3d54f3c" setup = """## Setup @@ -47,15 +50,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.user.id == "0" and process.real_user.id != "0") or @@ -91,9 +95,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,17 +107,17 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -121,3 +125,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 1f9c23cd5..c188f2396 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/03" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,7 +16,10 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Hijacking" -references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] +references = [ + "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" setup = """## Setup @@ -55,6 +58,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "rename") and file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( @@ -76,33 +80,34 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index c597f0d3f..ba4a84be2 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,7 +16,10 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Emond Child Process" -references = ["https://www.xorrior.com/emond-persistence/"] +references = [ + "https://www.xorrior.com/emond-persistence/", + "https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer", +] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" setup = """## Setup diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 474de8281..1d39e1988 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3 maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -14,7 +14,15 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +index = [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", +] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -62,6 +70,7 @@ Attackers can abuse this functionality in preparation for exfiltrating contents, references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" @@ -74,7 +83,19 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: System", +] timestamp_override = "event.ingested" type = "eql" @@ -107,7 +128,6 @@ reference = "https://attack.mitre.org/techniques/T1114/002/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 9c69091a8..84b949641 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -47,7 +47,10 @@ These steps are usually done in preparation for exfiltration, meaning the attack - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] +references = [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", +] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" setup = """## Setup diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index b1edfe829..7efd26eee 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,9 +2,40 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/09" +updated_date = "2024/09/23" [transform] +[[transform.investigate]] +label = "Alerts associated with the user in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Alerts associated with the host in the last 48h" +providers = [ + [ + { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" }, + { excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" } + ] +] +relativeFrom = "now-48h/h" +relativeTo = "now" + +[[transform.investigate]] +label = "Investigate the Subject Process Network Events" +providers = [ + [ + { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } + ] +] + [[transform.osquery]] label = "Osquery - Retrieve DNS Cache" query = "SELECT * FROM dns_cache" @@ -29,38 +60,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' """ -[[transform.investigate]] -label = "Alerts associated with the user in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "user.id", excluded = false, queryType = "phrase", value = "{{user.id}}", valueType = "string"} - ] -] - - -[[transform.investigate]] -label = "Alerts associated with the host in the last 48h" -relativeFrom = "now-48h/h" -relativeTo = "now" -providers = [ - [ - {field = "event.kind", excluded = false, queryType = "phrase", value = "signal", valueType = "string"}, - {field = "host.name", excluded = false, queryType = "phrase", value = "{{host.name}}", valueType = "string"} - ] -] - -[[transform.investigate]] -label = "Investigate the Subject Process Network Events" -providers = [ - [ - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.entity_id}}", valueType = "string"}, - {field = "event.category", excluded = false, queryType = "phrase", value = "network", valueType = "string"} - ] -] - [rule] author = ["Elastic"] @@ -128,10 +127,21 @@ This rule looks for processes outside known legitimate program locations communi - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ +"https://www.elastic.co/security-labs/operation-bleeding-bear", +"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" +] risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" @@ -286,7 +296,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and "Cisco Systems, Inc.", "Dropbox, Inc", "Amazon.com Services LLC")) - ) + ) ''' @@ -301,11 +311,12 @@ reference = "https://attack.mitre.org/techniques/T1102/" id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" + - [[rule.threat.technique.subtechnique]] - id = "T1568.002" - name = "Domain Generation Algorithms" - reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index b05996e51..8e894002c 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -55,7 +55,10 @@ This rule looks for the execution of utilities that can extract credential data - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://lolbas-project.github.io/"] +references = [ + "https://lolbas-project.github.io/", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" setup = """## Setup diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 9d059bfe2..1ce0f1903 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -108,6 +108,7 @@ references = [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index ad74216af..41e1120be 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -60,6 +60,7 @@ references = [ "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ad39fc43c..663b76050 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ name = "Potential Credential Access via LSASS Memory Dump" references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f19adef77..f860425b8 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -53,6 +53,7 @@ This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-Ev - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" setup = """## Setup diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 57c27fe3a..d3eb6f48b 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/20" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -70,6 +70,9 @@ Microsoft Windows Defender is an antivirus product built into Microsoft Windows. """ references = [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" ] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 0142c7a46..a5babe6d6 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,8 @@ This rule monitors the execution of commands that can tamper the Windows Defende """ references = [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine" ] risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 883950cad..c7d5deb8b 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,10 @@ This rule identifies processes that are executed from suspicious default Windows - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ +"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", +"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" +] risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" setup = """## Setup diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index c4832f2ec..dca4f49ea 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,7 @@ references = [ "https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", ] risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index ee2732a06..4d9a24bf4 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Austin Songer"] @@ -62,6 +62,7 @@ references = [ "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", ] risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 16ce875c6..45747d454 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -20,6 +20,9 @@ index = [ language = "eql" license = "Elastic License v2" name = "Mshta Making Network Connections" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 84aecaea7..6cdf87d08 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Parent Process PID Spoofing" -references = ["https://blog.didierstevens.com/2017/03/20/"] +references = [ + "https://blog.didierstevens.com/2017/03/20/", + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", +] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 3842a4234..c2e3ee568 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -103,6 +103,7 @@ references = [ "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 052d4bb6f..17af2ccde 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -16,6 +16,9 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Side-Loading from a Suspicious Folder" +references = [ + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", +] risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" setup = """## Setup diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 782d47629..b9e98348e 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -98,6 +98,10 @@ This rule looks for the execution of scripts from unusual directories. Attackers - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" setup = """## Setup diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index afa9ece3f..970a63b98 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ license = "Elastic License v2" name = "Outbound Scheduled Task Activity via PowerShell" references = [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 6c9dd4036..57bde7b25 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,10 @@ index = [ language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/operation-bleeding-bear", +] risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" setup = """## Setup diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 04bf6f51e..9a59c84b8 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -58,6 +58,7 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit"] risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 54732f29f..e0af096a2 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -65,6 +65,7 @@ This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/operation-bleeding-bear"] risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" setup = """## Setup diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 6face0054..71e80066c 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,8 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" - +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -34,7 +33,11 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu [rule] author = ["Elastic"] description = """ -Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections. +Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server +Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which +communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This +rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral +movement within the network by leveraging SMB connections. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"] @@ -95,6 +98,10 @@ This rule looks for unexpected processes or LOLBins making network connections o - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" +] risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index f9b06fa6f..5c039bad9 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -56,6 +56,10 @@ Adversaries can use network shares to host tooling to support the compromise of - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 44e656981..058de4b64 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,7 +21,10 @@ index = [ language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" setup = """## Setup diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index af04a2b71..b8ee94c42 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/11" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -91,6 +91,7 @@ Adversaries can use network shares to host tooling to support the compromise of """ references = [ "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 7246879cb..ea6733fab 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ name = "Potential SharpRDP Behavior" references = [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", ] risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 1fb1ba34c..aebc227ae 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ index = [ language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" setup = """## Setup diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index da85d66e7..cf677477a 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -102,6 +102,7 @@ This rule detects the remote creation or start of a service by correlating a `se """ references = [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 3d3951767..43f0b5604 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -45,6 +45,7 @@ note = """## Triage and analysis - Remove scheduled task and any other related artifacts. - Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. """ +references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"] risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index b68fdf713..d7c22ad7b 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_ language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" -references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"] +references = [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" setup = """## Setup diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 650371712..ce5854fca 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,7 +15,10 @@ index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_ope language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] +references = [ + "https://www.mdsec.co.uk/2017/06/rdpinception/", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language", +] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" setup = """## Setup diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index b146663bf..204561141 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -93,6 +93,10 @@ Techniques used within malware and by adversaries often leverage the Windows reg - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", + "https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", +] risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 26e1a4dba..4cea0244e 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -19,6 +19,8 @@ name = "Local Scheduled Task Creation" references = [ "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", + "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", ] risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 1d66c483e..28db60183 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/05" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -98,6 +98,7 @@ Adversaries may achieve persistence by referencing a program with a registry run - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign"] risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 4c9bda1fc..63ce6c7c0 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -15,6 +15,9 @@ index = ["logs-endpoint.events.library-*"] language = "eql" license = "Elastic License v2" name = "Unsigned DLL Loaded by Svchost" +references = [ + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", +] risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index da4b46589..4368e7ff3 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -97,7 +97,10 @@ This rule monitors for commonly abused processes writing to the Startup folder l - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] +references = [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", +] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" setup = """## Setup diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index d74b17c8c..55d0dbe26 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -13,6 +13,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" +references = [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", +] risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" setup = """## Setup diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 2dd83bb73..b42c758aa 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -68,6 +68,7 @@ references = [ "https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview", + "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four", ] risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 5ae2120bc..86d8647f7 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -76,6 +76,7 @@ The `sc.exe` command line utility is used to manage and control Windows services - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"] risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 437adcb34..2832d5042 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [transform] [[transform.osquery]] @@ -100,6 +100,7 @@ This rule uses this information to spot suspicious parent and child processes. references = [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", + "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit", ] risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 7f3a1f04b..caf0ca52a 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/07" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -20,6 +20,7 @@ references = [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", ] risk_score = 73 rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" @@ -40,7 +41,13 @@ Audit Security System Extension (Success) ``` """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"] +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: System", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_net_view.toml b/rules_building_block/discovery_net_view.toml index 10e11ec99..2b71644a8 100644 --- a/rules_building_block/discovery_net_view.toml +++ b/rules_building_block/discovery_net_view.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/23" [rule] author = ["Elastic"] @@ -42,6 +42,9 @@ This rule looks for the execution of the `net` utility to enumerate servers in t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", +] risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" setup = """## Setup