diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index de504b53e..93f3cfb90 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/27" [rule] author = ["Elastic"] @@ -20,13 +20,13 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"] +tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Lateral Movement", "Persistence"] timestamp_override = "event.ingested" type = "query" query = ''' event.category:file and event.type:(change or creation) and - file.name:("authorized_keys" or "authorized_keys2") and + file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and not process.executable: (/Library/Developer/CommandLineTools/usr/bin/git or /usr/local/Cellar/maven/*/libexec/bin/mvn or @@ -38,7 +38,8 @@ event.category:file and event.type:(change or creation) and /usr/bin/scp or /usr/bin/touch or /var/lib/docker/* or - /usr/bin/google_guest_agent) + /usr/bin/google_guest_agent or + /opt/jc/bin/jumpcloud-agent) ''' @@ -53,10 +54,34 @@ id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml index 492cef526..b1a6fcb87 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml @@ -3,7 +3,7 @@ creation_date = "2022/09/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/28" +updated_date = "2023/01/27" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ The rule identifies consecutive SSH login failures targeting a privileged (root) risk_score = 73 rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip with maxspan=10s @@ -82,3 +82,19 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index b9dda8e15..0771b8679 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/20" +updated_date = "2023/01/27" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Elastic Endgame"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Lateral Movement", "Elastic Endgame"] timestamp_override = "event.ingested" type = "query" @@ -48,6 +48,7 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -61,3 +62,30 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1563" +name = "Remote Service Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/" +[[rule.threat.technique.subtechnique]] +id = "T1563.001" +name = "SSH Hijacking" +reference = "https://attack.mitre.org/techniques/T1563/001/" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index ee96aee95..3d5202447 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/01/27" [rule] author = ["Elastic"] @@ -44,6 +44,10 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" [rule.threat.tactic] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 5744aaf92..802cf3bbf 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -35,8 +35,7 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s [network where network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and - network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1" - ] + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] ''' @@ -47,7 +46,10 @@ framework = "MITRE ATT&CK" id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" [rule.threat.tactic] id = "TA0008"