From e3c8981b634ff7c6ef1e75ff0c312900e50e1a16 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Tue, 26 Apr 2022 17:57:15 -0300 Subject: [PATCH] Review & Fix Invalid References (#1936) (cherry picked from commit 20d2e92cfe0cc0b473a88c4c21c0e6fd306cce85) --- rules/integrations/aws/initial_access_password_recovery.toml | 4 ++-- rules/integrations/aws/persistence_route_table_created.toml | 4 ++-- .../aws/persistence_route_table_modified_or_deleted.toml | 4 ++-- .../macos/defense_evasion_attempt_to_disable_gatekeeper.toml | 4 ++-- ...privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml | 4 ++-- rules/windows/credential_access_disable_kerberos_preauth.toml | 4 ++-- .../credential_access_domain_backup_dpapi_private_keys.toml | 4 ++-- rules/windows/credential_access_saved_creds_vaultcmd.toml | 4 ++-- .../defense_evasion_clearing_windows_console_history.toml | 4 ++-- ...xecution_apt_solarwinds_backdoor_child_cmd_powershell.toml | 4 ++-- ...ution_apt_solarwinds_backdoor_unusual_child_processes.toml | 4 ++-- .../privilege_escalation_group_policy_scheduled_task.toml | 4 ++-- .../windows/privilege_escalation_persistence_phantom_dll.toml | 4 ++-- ...lege_escalation_printspooler_suspicious_file_deletion.toml | 3 +-- ...rivilege_escalation_unusual_printspooler_childprocess.toml | 3 +-- 15 files changed, 28 insertions(+), 30 deletions(-) diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 4ad368ec9..ec54e563e 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/04/20" integration = "aws" [rule] @@ -26,7 +26,7 @@ name = "AWS IAM Password Recovery Requested" note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"] +references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index d260aeb4a..ca4c12253 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2022/04/20" integration = "aws" [rule] @@ -25,7 +25,7 @@ note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified/", + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable", ] diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 2ee0f37bd..4986f48cd 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/10/05" +updated_date = "2022/04/20" integration = "aws" [rule] @@ -26,7 +26,7 @@ note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://github.com/easttimor/aws-incident-response#network-routing", - "https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-route-table-modified", + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 6eacbcd67..b5de04075 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Attempt to Disable Gatekeeper" references = [ "https://support.apple.com/en-us/HT202491", - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", + "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397", ] risk_score = 47 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 954b70db5..a8d505fcc 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ note = """## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", + "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html", ] risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 9a39f322e..349340739 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/01/24" maturity = "production" -updated_date = "2022/04/13" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ Audit User Account Management (Success,Failure) ``` """ references = [ - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps", + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" ] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index e7ab9b591..798eae787 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", - "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107", ] risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index f46f4056a..9d0613066 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://rastamouse.me/blog/rdp-jump-boxes/", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", ] risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 38f87c0fe..42cae421f 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/22" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Austin Songer"] @@ -19,7 +19,7 @@ note = """## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", ] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index ba9bb218d..fe634a1bd 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc", ] risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 229b7d9ba..0b670201f 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/fireeye/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SOLARWINDS%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc", ] risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 3ca9cd21b..4e77be157 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/03/02" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ references = [ "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", - "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_gpo_scheduledtasks.yml" + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" ] risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 0915aaa2b..a8f89633e 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", - "https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html", ] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index d2c980a8d..35d3428e2 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -26,7 +26,6 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/afwu/PrintNightmare", ] risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index de4993705..9b523d023 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/06" maturity = "production" min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" min_stack_version = "7.16.0" -updated_date = "2022/04/04" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -28,7 +28,6 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/afwu/PrintNightmare", ] risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1"