[Tuning] added T1021.006 and T1563.001 (#2497)

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

rules/cross-platform/persistence_ssh_authorized_keys_modification.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -20,13 +20,13 @@ name = "SSH Authorized Keys File Modification"
 risk_score = 47
 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"]
+tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Lateral Movement", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
 event.category:file and event.type:(change or creation) and
- file.name:("authorized_keys" or "authorized_keys2") and
+ file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
  not process.executable:
              (/Library/Developer/CommandLineTools/usr/bin/git or
               /usr/local/Cellar/maven/*/libexec/bin/mvn or
@@ -38,7 +38,8 @@ event.category:file and event.type:(change or creation) and
               /usr/bin/scp or
               /usr/bin/touch or
               /var/lib/docker/* or
-              /usr/bin/google_guest_agent)
+              /usr/bin/google_guest_agent or 
+              /opt/jc/bin/jumpcloud-agent)
 '''
 
 
@@ -53,10 +54,34 @@ id = "T1098.004"
 name = "SSH Authorized Keys"
 reference = "https://attack.mitre.org/techniques/T1098/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1563"
+name = "Remote Service Session Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/"
+[[rule.threat.technique.subtechnique]]
+id = "T1563.001"
+name = "SSH Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/001/"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml

@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/28"
+updated_date = "2023/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -49,7 +49,7 @@ The rule identifies consecutive SSH login failures targeting a privileged (root)
 risk_score = 73
 rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Credential Access"]
 type = "eql"
 query = '''
 sequence by host.id, source.ip with maxspan=10s
@@ -82,3 +82,19 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

rules/linux/persistence_credential_access_modify_ssh_binaries.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/20"
+updated_date = "2023/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi
 risk_score = 47
 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Elastic Endgame"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Lateral Movement", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -48,6 +48,7 @@ reference = "https://attack.mitre.org/techniques/T1543/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -61,3 +62,30 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1563"
+name = "Remote Service Session Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/"
+[[rule.threat.technique.subtechnique]]
+id = "T1563.001"
+name = "SSH Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/001/"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -44,6 +44,10 @@ framework = "MITRE ATT&CK"
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.006"
+name = "Windows Remote Management"
+reference = "https://attack.mitre.org/techniques/T1021/006/"
 
 
 [rule.threat.tactic]

rules/windows/lateral_movement_powershell_remoting_target.toml

@@ -35,8 +35,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan = 30s
    [network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and
-    network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"
-   ]
+    network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"]
    [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"]
 '''
 
@@ -47,7 +46,10 @@ framework = "MITRE ATT&CK"
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
-
+[[rule.threat.technique.subtechnique]]
+id = "T1021.006"
+name = "Windows Remote Management"
+reference = "https://attack.mitre.org/techniques/T1021/006/"
 
 [rule.threat.tactic]
 id = "TA0008"