security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:elastic/detection-rules

Browse Source
This commit is contained in:
Mika Ayenson
2023-07-20 13:31:52 -05:00
parent c90ab9de82 93845626b7
commit f92b34f46a
138 changed files with 5737 additions and 643 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -27,7 +27,7 @@ Detection Rules contains more than just static rule files. This repository also
| folder | description |
|------------------------------------------------ |------------------------------------------------------------------------------------ |
| [`detection_rules/`](detection_rules) | Python module for rule parsing, validating and packaging |
| [`detection_rules/etc/`](etc) | Miscellaneous files, such as ECS and Beats schemas |
| [`etc/`](detection_rules/etc) | Miscellaneous files, such as ECS and Beats schemas |
| [`kibana/`](kibana) | Python library for handling the API calls to Kibana and the Detection Engine |
| [`kql/`](kql) | Python library for parsing and validating Kibana Query Language |
| [`rta/`](rta) | Red Team Automation code used to emulate attacker techniques, used for rule testing |
detection_rules/etc/deprecated_rules.json
+11 -1
View File
@@ -53,7 +53,7 @@
"deprecation_date": "2023/03/04",
"rule_name": "Potential Shell via Web Server",
"stack_version": "8.3"
},
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"deprecation_date": "2022/08/03",
"rule_name": "Suspicious Process from Conhost",
@@ -199,6 +199,11 @@
"rule_name": "Network Connection via Mshta",
"stack_version": "7.10.0"
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"deprecation_date": "2023/06/22",
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"stack_version": "8.3"
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"deprecation_date": "2021/04/15",
"rule_name": "Hex Encoding/Decoding Activity",
@@ -259,6 +264,11 @@
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"stack_version": "8.0"
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"deprecation_date": "2023/07/04",
"rule_name": "Reverse Shell Created via Named Pipe",
"stack_version": "8.3"
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"deprecation_date": "2022/07/25",
"rule_name": "Unusual Process Execution - Temp",
detection_rules/etc/version.lock.json
+296 -75
View File
@@ -4,7 +4,7 @@
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "8d99a9516adb82d97ce31f13c09b7c0ac13e93f917be99097507c20c4015d17e",
"type": "query",
"version": 103
"version": 103
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
@@ -41,6 +41,13 @@
"type": "query",
"version": 103
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "05f7ecbd3c668d2efc8876c68c247c96f2dfdfbb1d88da3feaf3127805145773",
"type": "threshold",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
"rule_name": "Potential Cookies Theft via Browser Debugging",
@@ -56,11 +63,20 @@
"version": 4
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5",
"type": "eql",
"version": 105
"version": 206
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
@@ -174,6 +190,13 @@
"type": "eql",
"version": 105
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "245438059687e2254156b7de6af2bb96cd52b3263ad178486202c575da0a28c0",
"type": "threshold",
"version": 1
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
"rule_name": "Local Account TokenFilter Policy Disabled",
@@ -218,6 +241,13 @@
"type": "query",
"version": 103
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Removable Device",
"sha256": "6fe9605f5969f9fdbeebe376c053f8522fde40eecb05605ffc286f728c904a51",
"type": "new_terms",
"version": 1
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
@@ -374,11 +404,20 @@
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720",
"type": "threshold",
"version": 106
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a",
"type": "threshold",
"version": 105
"version": 206
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
@@ -468,11 +507,20 @@
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "1eb30fe67fa0abaee0506c1b7c6670c291135f1d6068853480c1a55653893c67",
"sha256": "76c9bb0e0674d8903c7f1429ef3267a939de6bd90838451429533396f7bfbbb8",
"type": "eql",
"version": 4
"version": 105
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"min_stack_version": "8.4",
@@ -761,9 +809,9 @@
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "d04dc98fb22e15f098a76788b675edc49e4bf499983adbf70710640742a10eac",
"sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd",
"type": "eql",
"version": 6
"version": 7
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.3",
@@ -775,9 +823,9 @@
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "09705ab2ee66850492028c8fd86ed71afce32f932312e1453b6886d0c9e95fa6",
"sha256": "9c653b226714edd66db9bcd63a5b61afe9f915a3d04b61c4e9641b0132981891",
"type": "eql",
"version": 106
"version": 107
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -789,9 +837,9 @@
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "fd9c5690985b7c83672b0f08e298045ca247f83559a1a858a5b4752308f6bed9",
"sha256": "fad07b733ad42f63807d05c81d55df36306a6c09c9e59bbf960f30ffd4f3d047",
"type": "eql",
"version": 104
"version": 105
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
@@ -1026,9 +1074,9 @@
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "f96041c4a051d8bc206063cccec4c36ba921d0212c5d724572623af7ae44c6f9",
"sha256": "181d04840190629ceac8ddaecd5d5cbd16eec9b17b497b70284b04070ad8f3a1",
"type": "eql",
"version": 104
"version": 105
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
@@ -1068,9 +1116,9 @@
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "d4f6e38433ee840988ea690bc217d0c04ff099fc5e183146a176b8d77ec750a8",
"sha256": "af6a4c763918f1b8c3b75c94da57150e6613f9b1c060b6253fc7dd08841c57dc",
"type": "eql",
"version": 2
"version": 3
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
@@ -1106,6 +1154,13 @@
"type": "eql",
"version": 108
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "4a70cd9ce5cb0245001ed19046dc9211a007e0edb87d55d452e8623cd0aac76c",
"type": "eql",
"version": 1
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
"previous": {
@@ -1158,11 +1213,20 @@
"version": 104
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37",
"type": "eql",
"version": 107
"version": 208
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
@@ -1223,9 +1287,9 @@
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "018cd94848cb4fe2b823573ca90addd46f7d11c6846367ce77057e16348d8181",
"type": "query",
"version": 104
"sha256": "d53d2bac0f592f365342ebf32de4f22f12321dff80b3982f1dff5848f91a5994",
"type": "eql",
"version": 105
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
@@ -1561,11 +1625,20 @@
"version": 105
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb",
"type": "eql",
"version": 107
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "7cb2b7500b86c37fa3f51926431b8f44f6c119d48cf37e143cfa176f9facadb8",
"type": "eql",
"version": 106
"version": 207
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.3",
@@ -1595,6 +1668,13 @@
"type": "eql",
"version": 103
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Modprobe File Event",
"sha256": "9db38abed795d655cb74c1744a934743fbf685f4ae38cb42a28e35bd06eefda6",
"type": "eql",
"version": 1
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
@@ -1675,9 +1755,9 @@
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "099a172ef4590e40ac82c92b5a99f53ac755bc20da2a48b0d55b05a84e594d52",
"sha256": "3338f91573d9f2de9fec741a8de8feac5f2b0486ab6c185b94f5f37b938c89fc",
"type": "eql",
"version": 7
"version": 8
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
@@ -1762,6 +1842,13 @@
"type": "eql",
"version": 103
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "a712b2abc1979328e3ba6864ed807bd469b2ec80c5c84f8ae8de16d759578a67",
"type": "eql",
"version": 1
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
@@ -1813,6 +1900,13 @@
"type": "query",
"version": 106
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"min_stack_version": "8.6",
"rule_name": "Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "c98c09aa04335312a0ff21b0af0e49c0218d303221038df2aab1398fb821ba5a",
"type": "eql",
"version": 1
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -1820,6 +1914,13 @@
"type": "query",
"version": 102
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Parent Process",
"sha256": "2ee3bc61b99c1f90573b3be75492cd5a761d90e381955929c03553fbc8504525",
"type": "eql",
"version": 1
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
@@ -1848,6 +1949,13 @@
"type": "query",
"version": 6
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "c58ed6e2277c2938844908a89695fa82660c307bc9dc206f10a52e4fa077b9a0",
"type": "eql",
"version": 1
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.3",
"rule_name": "AWS Management Console Brute Force of Root User Identity",
@@ -1939,6 +2047,13 @@
"type": "eql",
"version": 104
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66",
"type": "eql",
"version": 1
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.3",
"rule_name": "AWS GuardDuty Detector Deletion",
@@ -1949,9 +2064,9 @@
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "29790b0b2d6e35dffcb37b29b2d5cb4d22b7d35cd064e746deef921d52db47f7",
"sha256": "08e086437b7c505630da7f3f2859efadfd8944d262f1bddb19d4c71766cb0cbe",
"type": "eql",
"version": 105
"version": 106
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
@@ -2122,9 +2237,9 @@
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "29078352bc699df5b5ecfa39cece91616abc3ce7dce5685f3018a5d36d993b1c",
"sha256": "f5c878461dc75c880cecb2f8430512a7a3b35a7636ba5436fb47b4b24e67dfb7",
"type": "eql",
"version": 105
"version": 106
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
@@ -2175,6 +2290,13 @@
"type": "eql",
"version": 104
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "f28586fc72625444f3b4be252b142c3e5c82e50f4adb96f5be4958dec4268f41",
"type": "eql",
"version": 1
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
@@ -2449,6 +2571,13 @@
"type": "eql",
"version": 102
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95",
"type": "eql",
"version": 1
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
@@ -2500,9 +2629,9 @@
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "2f7bfcd5121da1321ec96a27333dcd7da86d0ec12827922338b4642913d43c93",
"sha256": "ce2fa2e1187bf642ec55d7d148eec060fa325ac951f2be420c402e1ad51270f5",
"type": "threshold",
"version": 106
"version": 107
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -2775,16 +2904,16 @@
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"min_stack_version": "8.3",
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "92da433ebfb2177c7b51819eebbe61957a72ff556cb3ded55d826a7fc9d45913",
"sha256": "db42ea3e5c51dbabb3613e87b500b004d6b2f22db0587ca0bd388a8e546c6093",
"type": "query",
"version": 104
"version": 105
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "e52eed9c8cd5496c5c1c20e815e74393fb74456306252edb79633e1e3618cf8a",
"sha256": "e9810aa03d41a4680292d5c35a83f9c73d6d88b8ba00196480064195b316969d",
"type": "eql",
"version": 108
"version": 109
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
@@ -2841,6 +2970,13 @@
"type": "machine_learning",
"version": 102
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Sysctl File Event",
"sha256": "f79fc847a2fd5595520dba9ec67e770ad628d3c141e6befef5c8622a55a1e0be",
"type": "eql",
"version": 1
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
@@ -2892,6 +3028,13 @@
"type": "eql",
"version": 104
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "7e4a8ddc67134b3b531131acefeb839f8301364cbf5af9e59961b718342f9424",
"type": "eql",
"version": 1
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
@@ -2920,6 +3063,13 @@
"type": "query",
"version": 102
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "73eee30fa3997742747ac2b5413ee70cc35e4b3be16faa7c79e268a16425ba79",
"type": "threshold",
"version": 1
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
"previous": {
@@ -3005,11 +3155,20 @@
"version": 105
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a",
"type": "eql",
"version": 105
"version": 206
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"min_stack_version": "8.3",
@@ -3153,9 +3312,9 @@
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "bc53d1dbba1010446ca85bd7500870ce3bde0884a67804fc35db83bef33069ff",
"sha256": "6d16ec9af048dc6cb0ae829032dc7f010510fc01e39097bf9deb4d6476af80fd",
"type": "eql",
"version": 106
"version": 107
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.3",
@@ -3333,9 +3492,9 @@
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Password Guessing",
"sha256": "cdf197aac53bebddcf87f917dd2a37e795c2187adac142d96c83f91ae832a7de",
"sha256": "26894fa5e08e82c7990e3ae5d6fb094214df7da670d2eb5fb9d2001e7772265c",
"type": "eql",
"version": 5
"version": 6
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
@@ -3702,11 +3861,20 @@
"version": 103
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f",
"type": "eql",
"version": 105
"version": 206
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "8.3",
@@ -3723,11 +3891,20 @@
"version": 102
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.3",
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314",
"type": "eql",
"version": 5
"sha256": "ebd07f4f1c4c808413c8280170d1a229c9ff5ea9c42f0a11e064e4861965f364",
"type": "new_terms",
"version": 105
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
@@ -3889,9 +4066,9 @@
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was updated",
"sha256": "2c9704e304d8d996f137257b6854e679631bcfa0dd302aca47f47cedd91892e7",
"sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645",
"type": "eql",
"version": 7
"version": 8
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
@@ -4143,9 +4320,9 @@
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "bd0ca2d04964ce7d36b017a81d9d9967a362419827fa1d636cffd34764f0f18c",
"sha256": "02da666124b0d072a5ce43d2b0eb1c1f0687435a6b1ec47726d9e42905b9d60f",
"type": "eql",
"version": 106
"version": 107
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
@@ -4411,9 +4588,9 @@
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Elastic Agent Service Terminated",
"sha256": "b7aa857260502cd30f5f4c65ccbd873479e0bfcdac74dfd364e78fb9a5f9678f",
"sha256": "1a60d9adba57832adff8082d1c2b375560d5b1f7eb2111020afb019fff3fd6ef",
"type": "eql",
"version": 102
"version": 103
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
@@ -4474,9 +4651,9 @@
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "7409022ed873888e3837126b2a4d3fd6cf87c2f90b31a796c97f198df51975d1",
"sha256": "883163582e8b2af740c8ae7d6dc898796d4d0bdefec3f0faced835054500fe87",
"type": "eql",
"version": 104
"version": 105
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"min_stack_version": "8.3",
@@ -4541,6 +4718,13 @@
"type": "query",
"version": 102
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "e3fa0192e162477e7c0432616bc59efd5cbfa01e8b3a70e8fe7cc9977b7a7249",
"type": "threshold",
"version": 1
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
@@ -4628,9 +4812,9 @@
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "6bb5a10732152506d86df3c43cf30d8e3f6698d13860c82c5864203686602712",
"sha256": "aabc80f5592be42389ac49d447b4cf6c02f92531bfcb96e9b3e8d42ab0d221d0",
"type": "eql",
"version": 105
"version": 106
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
@@ -4880,9 +5064,9 @@
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "c6d72fb392daa85873c96a647cbfa1b511bdddefb7c25e62a6064cc1ddcbd775",
"sha256": "96682e9b9640c83fb004fefdfadefa0499ffaee2f18b224c2a919c0be924579c",
"type": "eql",
"version": 2
"version": 3
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
@@ -4926,11 +5110,20 @@
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750",
"type": "eql",
"version": 107
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750",
"type": "eql",
"version": 107
"sha256": "d76db814f07cf25a8e686f720a3a92b86455db0f2209dc2a12e1f31d5444e096",
"type": "new_terms",
"version": 207
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -5266,9 +5459,9 @@
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "44072cf7c1f20e90e72ec90b43418d1ae4535fd6acbc5ddfdeb17f2f9daf9b42",
"sha256": "e6b3ef23ab08030ed69f89c0ff395b3e4735d6f053e32e2f5a39b4c522c192e7",
"type": "eql",
"version": 105
"version": 106
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
@@ -5360,6 +5553,13 @@
"type": "query",
"version": 101
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e4ae2073950e301288dd33fc960e36f0d7873b7529fc979ac34d8ffa4af1c11c",
"type": "eql",
"version": 1
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
@@ -5739,6 +5939,13 @@
"type": "eql",
"version": 3
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.4",
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "137b5aa97aad2f77517958f46e0bce9edb04a546f1eb2dbb6a8f63fba22b69f8",
"type": "new_terms",
"version": 1
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.3",
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -5817,9 +6024,9 @@
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "ce171e10dd4f2e9f29d53f86a45ef18f13d60934ea0b9dfab548e7e78bdb4327",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 103
"version": 104
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
@@ -6047,9 +6254,9 @@
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "2cc5999ea9bca1224596aa743a6061b9a66467314d2e17783d03f46fc9ebeb4a",
"sha256": "5f0a33718711359e7a2af2f2e56e9f79233e0193ae37a5b8b39e5095584c8993",
"type": "eql",
"version": 105
"version": 106
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
@@ -6085,6 +6292,13 @@
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "188ba26251c3df6a20ccd67b2ae9b96139fb4d5c1c68e891399e9d99feba842f",
"type": "eql",
"version": 1
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
@@ -6214,16 +6428,23 @@
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "0a85e5b12d3f9d504e42f5657e237eabe3b1f46221056c4468a09afa97701f11",
"sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a",
"type": "eql",
"version": 2
"version": 3
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "ee207a0dc12424d42a280ae67bb24d949dc4a3b91c0a3c709e0051db52d4165a",
"type": "eql",
"version": 1
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "70f6b702304d14b1e4db662b3b6f9eec193223953e69772dbc78cff2ae73d186",
"sha256": "bc08d2c4be90293d885bf62c71e887f88c297e8f8366a937fb61e30784ee0a8f",
"type": "eql",
"version": 4
"version": 5
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
detection_rules/rule.py
+3
View File
@@ -698,6 +698,9 @@ class EQLRuleData(QueryRuleData):
"""EQL rules are a special case of query rules."""
type: Literal["eql"]
language: Literal["eql"]
timestamp_field: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0")))
event_category_override: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0")))
tiebreaker_field: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0")))
def convert_relative_delta(self, lookback: str) -> int:
now = len("now")
detection_rules/rule_validators.py
+34 -2
View File
@@ -5,7 +5,8 @@
"""Validation logic for rules containing queries."""
from functools import cached_property
from typing import List, Optional, Union
from typing import List, Optional, Union, Tuple
from semver import Version
import eql
@@ -13,7 +14,9 @@ import kql
from . import ecs, endgame
from .integrations import get_integration_schema_data, load_integrations_manifests
from .rule import QueryRuleData, QueryValidator, RuleMeta, TOMLRuleContents
from .misc import load_current_package_version
from .schemas import get_stack_schemas
from .rule import QueryRuleData, QueryValidator, RuleMeta, TOMLRuleContents, EQLRuleData
EQL_ERROR_TYPES = Union[eql.EqlCompileError,
eql.EqlError,
@@ -194,6 +197,12 @@ class EQLValidator(QueryValidator):
if validation_checks["stack"] and validation_checks["integrations"]:
raise ValueError(f"Error in both stack and integrations checks: {validation_checks}")
rule_type_config_fields, rule_type_config_validation_failed = \
self.validate_rule_type_configurations(data, meta)
if rule_type_config_validation_failed:
raise ValueError(f"""Rule type config values are not ECS compliant, check these values:
{rule_type_config_fields}""")
def validate_stack_combos(self, data: QueryRuleData, meta: RuleMeta) -> Union[EQL_ERROR_TYPES, None, ValueError]:
"""Validate the query against ECS and beats schemas across stack combinations."""
for stack_version, mapping in meta.get_validation_stack_versions().items():
@@ -308,6 +317,29 @@ class EQLValidator(QueryValidator):
print(err_trailer)
return exc
def validate_rule_type_configurations(self, data: EQLRuleData, meta: RuleMeta) -> \
Tuple[List[Optional[str]], bool]:
"""Validate EQL rule type configurations."""
if data.timestamp_field or data.event_category_override or data.tiebreaker_field:
# get a list of rule type configuration fields
# Get a list of rule type configuration fields
fields = ["timestamp_field", "event_category_override", "tiebreaker_field"]
set_fields = list(filter(None, (data.get(field) for field in fields)))
# get stack_version and ECS schema
min_stack_version = meta.get("min_stack_version")
if min_stack_version is None:
min_stack_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
ecs_version = get_stack_schemas()[str(min_stack_version)]['ecs']
schema = ecs.get_schema(ecs_version)
# return a list of rule type config field values and whether any are not in the schema
return (set_fields, any([f not in schema.keys() for f in set_fields]))
else:
# if rule type fields are not set, return an empty list and False
return [], False
def extract_error_field(exc: Union[eql.EqlParseError, kql.KqlParseError]) -> Optional[str]:
"""Extract the field name from an EQL or KQL parse error."""
rta/bin/netcon_exec_chain.elf
Executable
BIN
View File
Binary file not shown.
rta/exec_java_revshell_linux.py
+47
View File
@@ -0,0 +1,47 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="e0db3577-879e-4ac2-bd58-691e1343afca",
platforms=["linux"],
endpoint=[{"rule_name": "Potential Linux Reverse Shell via Java", "rule_id": "e0db3577-879e-4ac2-bd58-691e1343afca"}],
siem=[],
techniques=["T1059", "T1071"],
)
@common.requires_os(metadata.platforms)
def main():
common.log("Creating a fake Java executable..")
masquerade = "/bin/java"
source = common.get_path("bin", "netcon_exec_chain.elf")
common.copy_file(source, masquerade)
common.log("Granting execute permissions...")
common.execute(['chmod', '+x', masquerade])
commands = [
masquerade,
'chain',
'-h',
'127.0.0.1',
'-p',
'1337',
'-c',
'-jar'
]
common.log("Simulating reverse shell activity..")
common.execute([*commands], timeout=5)
common.log("Reverse shell simulation successful!")
common.log("Cleaning...")
common.remove_file(masquerade)
common.log("RTA completed!")
if __name__ == "__main__":
exit(main())
rta/kernel_module_removal_execution.py
+46
View File
@@ -0,0 +1,46 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="900e8599-1d5f-4522-9aed-6eab82de2bad",
platforms=["linux"],
endpoint=[
{
"rule_name": "Kernel Module Removal",
"rule_id": "e80ba5e4-b6c6-4534-87b0-8c0f4e1d97e7",
}
],
siem=[
{
"rule_name": "Kernel Module Removal",
"rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
}
],
techniques=["T1562", "T1562.001", "T1547", "T1547.006"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/rmmod"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
# Execute command
common.log("Launching fake commands to remove Kernel Module")
common.execute([masquerade], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
if __name__ == "__main__":
exit(main())
rta/mimipenguin_execution.py
+50
View File
@@ -0,0 +1,50 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="e5a98cc9-1f15-4d14-baf2-96bebb932ae9",
platforms=["linux"],
endpoint=[
{
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"rule_id": "508226f9-4030-4e86-86cd-63321b7164bc",
}
],
siem=[
{
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311"
}
],
techniques=["T1212", "T1003", "T1003.007"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/ps"
masquerade2 = "/tmp/strings"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
common.copy_file(source,masquerade2)
# Execute command
common.log("Launching fake commands to dump credential via proc")
common.execute([masquerade, "-eo", "pid", "command"], timeout=10, kill=True)
common.execute([masquerade2, "/tmp/test"], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
common.remove_file(masquerade2)
if __name__ == "__main__":
exit(main())
rta/src/netcon_exec_chain.go
+97
View File
@@ -0,0 +1,97 @@
package main
import (
"flag"
"fmt"
"net"
"os"
"os/exec"
"time"
)
func main() {
netconCommand := flag.NewFlagSet("netcon", flag.ExitOnError)
netconIP := netconCommand.String("h", "", "IP address")
netconPort := netconCommand.Int("p", 0, "Port")
execCommand := flag.NewFlagSet("exec", flag.ExitOnError)
execCmd := execCommand.String("c", "", "Shell command")
chainCommand := flag.NewFlagSet("chain", flag.ExitOnError)
chainIP := chainCommand.String("h", "", "IP address")
chainPort := chainCommand.Int("p", 0, "Port")
chainCmd := chainCommand.String("c", "", "Shell command")
if len(os.Args) < 2 {
fmt.Println("Usage:")
fmt.Println(" netcon -h <IP> -p <Port>")
fmt.Println(" exec -c <command>")
fmt.Println(" chain -h <IP> -p <Port> -c <command>")
os.Exit(1)
}
switch os.Args[1] {
case "netcon":
netconCommand.Parse(os.Args[2:])
if *netconIP == "" || *netconPort == 0 {
fmt.Println("Missing IP address or port")
netconCommand.PrintDefaults()
os.Exit(1)
}
conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *netconIP, *netconPort))
if err != nil {
fmt.Println("Failed to connect:", err)
os.Exit(1)
}
conn.Close()
case "exec":
execCommand.Parse(os.Args[2:])
if *execCmd == "" {
fmt.Println("Missing command")
execCommand.PrintDefaults()
os.Exit(1)
}
cmd := exec.Command("/bin/sh", "-c", *execCmd)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
fmt.Println("Failed to execute command:", err)
os.Exit(1)
}
case "chain":
chainCommand.Parse(os.Args[2:])
if *chainIP == "" || *chainPort == 0 || *chainCmd == "" {
fmt.Println("Missing IP address, port, or command")
chainCommand.PrintDefaults()
os.Exit(1)
}
conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *chainIP, *chainPort))
if err != nil {
fmt.Println("Failed to connect:", err)
} else {
conn.Close()
}
time.Sleep(10 * time.Millisecond)
cmd := exec.Command("/bin/sh", "-c", *chainCmd)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err = cmd.Run()
if err != nil {
fmt.Println("Failed to execute command:", err)
os.Exit(1)
}
default:
fmt.Println("Invalid command")
fmt.Println("Usage:")
fmt.Println(" netcon -h <IP> -p <Port>")
fmt.Println(" exec -c <command>")
fmt.Println(" chain -h <IP> -p <Port> -c <command>")
os.Exit(1)
}
}
rta/unshadow_execution.py
+46
View File
@@ -0,0 +1,46 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import common
from . import RtaMetadata
metadata = RtaMetadata(
uuid="c5cecd6d-a7c4-4e3b-970d-6ca5cfc5c662",
platforms=["linux"],
endpoint=[
{
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"rule_id": "05f95917-6942-4aab-a904-37c6db906503",
}
],
siem=[
{
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c"
}
],
techniques=["T1003", "T1003.008"],
)
@common.requires_os(metadata.platforms)
def main():
masquerade = "/tmp/unshadow"
source = common.get_path("bin", "linux.ditto_and_spawn")
common.copy_file(source, masquerade)
# Execute command
common.log("Launching fake commands to dump credential via unshadow")
common.execute([masquerade, "/etc/passwd /etc/shadow"], timeout=10, kill=True)
# cleanup
common.remove_file(masquerade)
if __name__ == "__main__":
exit(main())
rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml → rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml
+6 -3
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2022/09/14"
deprecation_date = "2023/06/22"
integration = ["system"]
maturity = "production"
maturity = "deprecated"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
@@ -52,6 +53,7 @@ rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access"]
type = "eql"
query = '''
sequence by host.id, source.ip with maxspan=10s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
@@ -82,8 +84,6 @@ reference = "https://attack.mitre.org/techniques/T1110/003/"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -95,7 +95,10 @@ id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/linux/execution_reverse_shell_via_named_pipe.toml → rules/_deprecated/execution_reverse_shell_via_named_pipe.toml
+10 -3
View File
@@ -1,10 +1,11 @@
[metadata]
creation_date = "2022/11/14"
deprecation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
maturity = "deprecated"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/04"
[rule]
author = ["Elastic"]
@@ -34,7 +35,13 @@ references = [
risk_score = 47
rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Endgame",
]
type = "eql"
query = '''
rules/cross-platform/threat_intel_filebeat8x.toml → rules/_deprecated/threat_intel_filebeat8x.toml
+38 -30
View File
@@ -1,16 +1,16 @@
[metadata]
creation_date = "2021/11/24"
maturity = "production"
updated_date = "2023/06/27"
deprecation_date = "2023/07/03"
maturity = "deprecated"
min_stack_comments = "Updating the rule for 8.5+ users before deprecation."
min_stack_version = "8.5.0"
updated_date = "2023/07/03"
[rule]
author = ["Elastic"]
description = """
This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.
This rule was deprecated. See the Setup section for more information and alternative rules.
This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or
network observations. This rule was deprecated. See the Setup section for more information and alternative rules.
"""
from = "now-65m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
@@ -59,126 +59,134 @@ This rule was deprecated in the 8.8 version of the Elastic Stack for performance
* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3
"""
references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
risk_score = 99
rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43"
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
threat_index = ["filebeat-8*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.module:threatintel and (threat.indicator.file.hash.*:* or
threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or
threat.indicator.url.full:*)
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
threat_index = ["filebeat-8*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:threatintel and
(threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
threat.indicator.registry.path:* or threat.indicator.url.full:*)
'''
query = """
query = '''
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.module"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threatintel"
[rule.threat_filters.query.match_phrase]
"event.module" = "threatintel"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threat.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threat.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.pe.imphash"
type = "mapping"
value = "threat.indicator.file.pe.imphash"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threat.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threat.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threat.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threat.indicator.registry.path"
rules/cross-platform/threat_intel_fleet_integrations.toml → rules/_deprecated/threat_intel_fleet_integrations.toml
+38 -30
View File
@@ -1,16 +1,16 @@
[metadata]
creation_date = "2021/04/21"
maturity = "production"
updated_date = "2023/06/27"
deprecation_date = "2023/07/03"
maturity = "deprecated"
min_stack_comments = "Updating the rule for 8.5+ users before deprecation."
min_stack_version = "8.5.0"
updated_date = "2023/07/03"
[rule]
author = ["Elastic"]
description = """
This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.
This rule was deprecated. See the Setup section for more information and alternative rules.
This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network
observations. This rule was deprecated. See the Setup section for more information and alternative rules.
"""
from = "now-65m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
@@ -59,126 +59,134 @@ This rule was deprecated in the 8.8 version of the Elastic Stack for performance
* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3
"""
references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
risk_score = 99
rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0"
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
threat_index = ["logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or
threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or
threat.indicator.url.full:*)
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
threat_index = ["logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.dataset:ti_* and
(threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
threat.indicator.registry.path:* or threat.indicator.url.full:*)
'''
query = """
query = '''
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.dataset"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "ti_*"
[rule.threat_filters.query.match_phrase]
"event.dataset" = "ti_*"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threat.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threat.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.pe.imphash"
type = "mapping"
value = "threat.indicator.file.pe.imphash"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threat.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threat.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threat.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threat.indicator.registry.path"
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+3
View File
@@ -44,6 +44,9 @@ or
process.args : "elastic-agent" and
process.args : "stop")
or
/* pkill , killall used to stop Elastic Agent on Linux */
( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
or
/* Unload Elastic Agent extension on MacOS */
(process.name : "kextunload" and
process.args : "com.apple.iokit.EndpointSecurity" and
rules/cross-platform/threat_intel_indicator_match_url.toml
+13 -1
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2023/06/27"
updated_date = "2023/07/03"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
@@ -97,3 +97,15 @@ value = "threat.indicator.url.full"
field = "url.domain"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.domain"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.domain"
type = "mapping"
value = "threat.indicator.url.domain"
rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml
+53
View File
@@ -0,0 +1,53 @@
[metadata]
creation_date = "2023/06/28"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment."
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "AWS Credentials Searched For Inside A Container"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
references = [
"https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
]
risk_score = 47
rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767"
severity = "medium"
timestamp_override = "event.ingested"
type = "eql"
query = """
process where event.module == "cloud_defend" and
event.type == "start" and
/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and
process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*")
"""
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"
[[rule.threat.technique]]
id = "T1552"
reference = "https://attack.mitre.org/techniques/T1552/"
name = "Unsecured Credentials"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
reference = "https://attack.mitre.org/techniques/T1552/001/"
name = "Credentials In Files"
rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/06/06"
integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "New Integration: Cloud Defend"
min_stack_version = "8.8.0"
updated_date = "2023/06/23"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container.
The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying
the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and
has been used to evade detection of malicious processes in container environments.
"""
from = "now-6m"
index = ["logs-cloud_defend*"]
interval = "5m"
language = "eql"
license = "Elastic License v2"
name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
references = [
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
"https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
"https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
]
risk_score = 73
rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee"
severity = "high"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
+3 -2
View File
@@ -4,7 +4,8 @@ integration = ["kubernetes"]
maturity = "production"
min_stack_comments = "New fields added to Kubernetes Integration"
min_stack_version = "8.4.0"
updated_date = "2023/06/22"
updated_date = "2023/06/23"
[rule]
author = ["Elastic"]
@@ -41,7 +42,7 @@ query = '''
event.dataset:kubernetes.audit_logs
and kubernetes.audit.annotations.authorization_k8s_io/decision:allow
and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *)
and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)
and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)
'''
rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2023/07/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
min_stack_version = "8.6.0"
integration = ["o365"]
updated_date = "2023/07/18"
[rule]
author = ["Elastic"]
description = """
Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last
10 days.
"""
false_positives = ["User using a new mail client."]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Microsoft 365 Mail Access by ClientAppId"
note = """## Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"]
risk_score = 47
rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.new_terms]
field = "new_terms_fields"
value = ["o365.audit.ClientAppId", "user.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+39 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -16,7 +16,44 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempted Bypass of Okta MFA"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempted Bypass of Okta MFA
Multi-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.
This rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.
#### Possible investigation steps
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.
- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.
- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the MFA bypass attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.
### False positive analysis
- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's MFA settings to ensure they are correctly configured.
### Response and remediation
- If unauthorized access is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+36 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -18,7 +18,41 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempts to Brute Force an Okta User Account"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempts to Brute Force an Okta User Account
Brute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.
This rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.
- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.
- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.
- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.
- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.
- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.
- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.
### False positive analysis:
- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.
- Ensure there are no known network or application issues that might cause these events.
### Response and remediation:
- Alert the user and your IT department immediately.
- If unauthorized access is confirmed, initiate your incident response process.
- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.
- Require the affected user to change their password.
- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.
- Implement account lockout policies to limit the impact of brute force attacks.
- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.
- Check if the compromised account was used to access or alter any sensitive data or systems.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/credential_access_mfa_push_brute_force.toml
+36 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -17,7 +17,41 @@ index = ["filebeat-*", "logs-okta*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Abuse of Repeated MFA Push Notifications"
note = """## Setup
note = """## Triage and analysis
### Investigating Potential Abuse of Repeated MFA Push Notifications
Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.
This rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.
#### Possible investigation steps:
- Identify the user who received the MFA notifications by reviewing the `user.email` field.
- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.
- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.
- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.
- Check if the MFA requests and the successful login occurred during the user's regular activity hours.
- Look for any other suspicious activity on the account around the same time.
- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.
### False positive analysis:
- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.
- Check if there are known issues with the MFA system causing false denials.
### Response and remediation:
- If unauthorized access is confirmed, initiate your incident response process.
- Alert the user and your IT department immediately.
- If possible, isolate the user's account until the issue is resolved.
- Investigate the source of the unauthorized access.
- If the account was accessed by an unauthorized party, determine the actions they took after logging in.
- Consider enhancing your MFA policy to prevent such incidents in the future.
- Encourage users to report any unexpected MFA notifications immediately.
- Review and update your incident response plans and security policies based on the findings from the incident.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
+31 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta Brute Force or Password Spraying Attack"
note = """## Setup
note = """## Triage and analysis
### Investigating Okta Brute Force or Password Spraying Attack
This rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.
#### Possible investigation steps:
- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.
- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.
- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.
- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?
- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?
- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?
### False positive analysis:
- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.
- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.
### Response and remediation:
- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.
- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.
- Enhance monitoring on the affected user accounts for any suspicious activity.
- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.
- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.
- Review and update your security policies based on the findings from the incident.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/credential_access_user_impersonation_access.toml
+30 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -19,7 +19,35 @@ interval = "15m"
language = "kuery"
license = "Elastic License v2"
name = "Okta User Session Impersonation"
note = """## Setup
note = """## Triage and analysis
### Investigating Okta User Session Impersonation
The detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.
#### Possible investigation steps
- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.
- Review the `event.action` field to confirm the initiation of the impersonation event.
- Check the `event.time` field to understand the timing of the event.
- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.
- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.
### False positive analysis
- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.
- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.
### Response and remediation
- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.
- Reset the user session and invalidate any active sessions related to the impersonated user.
- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.
- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.
- Review and update your security policies to prevent such incidents in the future.
- Implement additional monitoring and logging of Okta events to improve visibility of user actions.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
+31 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Deactivate an Okta Network Zone"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Deactivate an Okta Network Zone
The Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.
#### Possible investigation steps
- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.
- Examine the `event.action` field to confirm the deactivation of a network zone.
- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.
- Investigate the `event.time` field to understand when the event happened.
- Review the actor's activities before and after the event to understand the context of this event.
### False positive analysis
- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.
- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.
- Verify the actor's actions with any known planned changes or maintenance activities.
### Response and remediation
- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.
- Re-enable the deactivated network zone if it was deactivated without authorization.
- Review and update the privileges of the actor who initiated the deactivation.
- Check the security policies and procedures to identify any gaps and update them as necessary.
- Implement additional monitoring and logging of Okta events to improve visibility of user actions.
- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
+31 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Delete an Okta Network Zone"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Delete an Okta Network Zone
Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.
#### Possible investigation steps:
- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.
- Examine the `event.action` field to confirm the deletion of a network zone.
- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.
- Review the `event.time` field to understand when the event happened.
- Check the actor's activities before and after the event to understand the context of this event.
### False positive analysis:
- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.
- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.
- Cross-verify the actor's actions with any known planned changes or maintenance activities.
### Response and remediation:
- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.
- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.
- Review and update the privileges of the actor who initiated the deletion.
- Identify any gaps in the security policies and procedures and update them as necessary.
- Implement additional monitoring and logging of Okta events to improve visibility of user actions.
- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
+38 -1
View File
@@ -23,7 +23,44 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Deactivate an Okta Policy"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Deactivate an Okta Policy
Okta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.
This rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.
- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.
- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the policy deactivation attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized policy deactivation is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
+39 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -22,7 +22,44 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Deactivate an Okta Policy Rule"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Deactivate an Okta Policy Rule
Identity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.
This rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.
- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.
- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the policy rule deactivation attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
+39 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,44 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Delete an Okta Policy"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Delete an Okta Policy
Okta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.
This rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.
- Check the `okta.outcome.result` field to confirm the policy deletion attempt.
- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the policy deletion attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized policy deletion is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
+39 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -22,7 +22,44 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Delete an Okta Policy Rule"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Delete an Okta Policy Rule
Okta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.
This rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.
- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.
- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the policy rule deletion attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized policy rule deletion is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
+37 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,42 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Modify an Okta Network Zone"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Modify an Okta Network Zone
The modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the modification attempt.
- Check the `okta.outcome.result` field to confirm the network zone modification attempt.
- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the modification attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized modification is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -23,7 +23,33 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Modify an Okta Policy"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Modify an Okta Policy
Modifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.
#### Possible investigation steps:
- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.
- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.
- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.
- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.
- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.
### False positive analysis:
- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.
- Check if the actor associated with the event has legitimate rights to modify the Okta policies.
- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.
### Response and remediation:
- If unauthorized modification is confirmed, initiate the incident response process.
- Lock the actor's account and enforce password change as an immediate response.
- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.
- Review any other actions taken by the actor to assess the overall impact.
- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.
- Consider a security review of your Okta policies and rules to ensure they follow security best practices.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
+37 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -22,7 +22,42 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Modify an Okta Policy Rule"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Modify an Okta Policy Rule
The modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.
#### Possible investigation steps:
- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.
- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.
- Examine the `okta.outcome.reason` field for additional context around the modification attempt.
- Check the `okta.outcome.result` field to confirm the rule modification attempt.
- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).
- Check for successful logins immediately following the modification attempt.
- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.
### False positive analysis:
- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.
- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.
- Verify the actor's administrative rights to ensure they are correctly configured.
### Response and remediation:
- If unauthorized modification is confirmed, initiate the incident response process.
- Immediately lock the affected actor account and require a password change.
- Consider resetting MFA tokens for the actor and require re-enrollment.
- Check if the compromised account was used to access or alter any sensitive data or systems.
- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.
- Assess the criticality of affected services and servers.
- Work with your IT team to minimize the impact on users and maintain business continuity.
- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.
- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
+30 -3
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -25,9 +25,36 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "High Number of Okta User Password Reset or Unlock Attempts"
note = """## Setup
note = """## Triage and analysis
### Investigating High Number of Okta User Password Reset or Unlock Attempts
This rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.
#### Possible investigation steps:
- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.
- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.
- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.
- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.
- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.
- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.
### False positive analysis:
- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.
- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.
### Response and remediation:
- If unauthorized attempts are confirmed, initiate the incident response process.
- Reset the user's password and enforce MFA re-enrollment, if applicable.
- Block the IP address or device used in the attempts, if they appear suspicious.
- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.
- Consider a security review of your Okta policies and rules to ensure they follow security best practices.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
+29 -3
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -22,9 +22,35 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Revoke Okta API Token"
note = """## Setup
note = """## Triage and analysis
### Investigating Attempt to Revoke Okta API Token
The rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.
#### Possible investigation steps:
- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.
- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.
- Verify if the API token revocation was authorized or part of some planned activity.
- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.
- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.
- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.
### False positive analysis:
- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.
### Response and remediation:
- If unauthorized revocation attempts are confirmed, initiate the incident response process.
- Block the IP address or device used in the attempts, if they appear suspicious.
- Reset the user's password and enforce MFA re-enrollment, if applicable.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
+32 -3
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[rule]
author = ["Elastic"]
@@ -22,9 +22,38 @@ index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Deactivate an Okta Application"
note = """## Setup
note = """
## Triage and analysis
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
### Investigating Attempt to Deactivate an Okta Application
This rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.
#### Possible investigation steps:
- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.
- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.
- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.
- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
### False positive analysis:
- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.
- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.
### Response and remediation:
- If unauthorized deactivation attempts are confirmed, initiate the incident response process.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
- Reset the user's password and enforce MFA re-enrollment, if applicable.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
+2 -2
View File
@@ -46,9 +46,9 @@ type = "eql"
query = '''
sequence by process.entity_id with maxspan=1m
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")]
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
'''
rules/linux/credential_access_bruteforce_password_guessing.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
@@ -55,7 +55,7 @@ type = "eql"
query = '''
sequence by host.id, source.ip, user.name with maxspan=3s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/21"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
@@ -69,7 +69,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
"192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
"100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4",
"::1", "FE80::/10", "FF00::/8") ] with runs = 3
"::1", "FE80::/10", "FF00::/8") ] with runs = 10
'''
rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
@@ -65,7 +65,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32",
"192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4",
"100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4",
"::1", "FE80::/10", "FF00::/8") ] with runs = 3
"::1", "FE80::/10", "FF00::/8") ] with runs = 10
'''
rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
+75
View File
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2023/07/06"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different
combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can
include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and
potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting
a specific user account from the same source address and within a short time interval, followed by a successful
authentication.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Successful Linux FTP Brute Force Attack Detected"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
```
For this detection rule no additional audit rules are required to be added to the integration.
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 47
rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
type = "eql"
query = '''
sequence by host.id, auditd.data.addr, related.user with maxspan=5s
[authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and
auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10
[authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and
auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
reference = "https://attack.mitre.org/techniques/T1110/001/"
[[rule.threat.technique.subtechnique]]
id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
+73
View File
@@ -0,0 +1,73 @@
[metadata]
creation_date = "2023/07/06"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and
password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact
can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks
within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising
the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a
specific user account within a short time interval, followed by a successful authentication.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Successful Linux RDP Brute Force Attack Detected"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
```
For this detection rule no additional audit rules are required to be added to the integration.
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 47
rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
type = "eql"
query = '''
sequence by host.id, related.user with maxspan=5s
[authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10
[authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
reference = "https://attack.mitre.org/techniques/T1110/001/"
[[rule.threat.technique.subtechnique]]
id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+8 -8
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/28"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ detection by security controls.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable Syslog Service"
risk_score = 47
@@ -22,14 +22,14 @@ rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and
((process.name:service and process.args:stop) or
(process.name:chkconfig and process.args:off) or
(process.name:systemctl and process.args:(disable or stop or kill)))
and process.args:(syslog or rsyslog or "syslog-ng")
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
( (process.name == "service" and process.args == "stop") or
(process.name == "chkconfig" and process.args == "off") or
(process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
) and process.args in ("syslog", "rsyslog", "syslog-ng")
'''
rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
+101
View File
@@ -0,0 +1,101 @@
[metadata]
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2023/06/26"
[rule]
author = ["Elastic"]
description = """
This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to
inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious
shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common
and will potentially indicate malicious or suspicious behavior.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Process Injection via LD_PRELOAD Environment Variable"
note = """## Setup
By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration.
```
Kibana -->
Fleet -->
Agent policies -->
Agent policy for which the option should be enabled -->
Name of the Elastic Defend integration -->
Show advanced settings -->
linux.advanced.capture_env_vars
```
`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`.
After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
"""
references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"]
risk_score = 47
rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and
event.action == "exec" and
process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Persistence"
id = "TA0003"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Privilege Escalation"
id = "TA0004"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat.technique]]
name = "Hijack Execution Flow"
id = "T1574"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
name = "Dynamic Linker Hijacking"
id = "T1574.006"
reference = "https://attack.mitre.org/techniques/T1574/006/"
rules/linux/discovery_linux_modprobe_enumeration.toml
+66
View File
@@ -0,0 +1,66 @@
[metadata]
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized
access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or
unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities
within the system.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Modprobe File Event"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d -p wa -k modprobe
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not
(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_linux_sysctl_enumeration.toml
+65
View File
@@ -0,0 +1,65 @@
[metadata]
creation_date = "2023/06/08"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential
unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl
configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Sysctl File Event"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/sysctl.d -p wa -k sysctl
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 21
rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02"
severity = "low"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/discovery_suspicious_proc_enumeration.toml
+75
View File
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2023/06/09"
integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/09"
[rule]
author = ["Elastic"]
description = """
This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal
activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about
running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Proc Pseudo File System Enumeration"
note = """## Setup
This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
```
Kibana -->
Management -->
Integrations -->
Auditd Manager -->
Add Auditd Manager
```
`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
```
-w /proc/ -p r -k audit_proc
```
Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
"""
risk_score = 47
rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
severity = "medium"
tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and
file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[rule.threshold]
field = ["host.id", "process.pid", "process.name"]
value = 1
[[rule.threshold.cardinality]]
field = "file.path"
value = 25
rules/linux/execution_abnormal_process_id_file_created.toml
+18 -40
View File
@@ -2,8 +2,8 @@
creation_date = "2022/05/11"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/06/22"
[rule]
@@ -22,7 +22,7 @@ false_positives = [
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
language = "kuery"
license = "Elastic License v2"
name = "Abnormal Process ID or Lock File Created"
note = """## Triage and analysis
@@ -76,56 +76,34 @@ rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
/* add file size filters when data is available */
file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and
file.path regex~ """(/var/run|/run)/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and
/* handle common legitimate files */
not file.name in (
"auditd.pid",
"python*",
"apport.pid",
"apport.lock",
"kworker*",
"gdm3.pid",
"sshd.pid",
"acpid.pid",
"unattended-upgrades.lock",
"unattended-upgrades.pid",
"cmd.pid",
"yum.pid",
"netconfig.pid",
"docker.pid",
"atd.pid",
"lfd.pid",
"atop.pid",
"nginx.pid",
"dhclient.pid",
"smtpd.pid",
"stunnel.pid",
"1_waagent.pid",
"crond.pid",
"cron.reboot",
"sssd.pid",
"tomcat8.pid"
)
host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and
user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not
file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or
"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or
"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or
"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1106"
name = "Native API"
reference = "https://attack.mitre.org/techniques/T1106/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/execution_python_tty_shell.toml
+10 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/06/29"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -13,24 +13,25 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
risk_score = 73
rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
severity = "high"
timestamp_override = "event.ingested"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
timeline_title = "Comprehensive Process Timeline"
type = "eql"
query = '''
sequence with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and
process.executable : "/bin/*sh"
] by process.parent.entity_id
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
(
(process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and
process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
(process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1
and process.parent.args_count == 1)
)
'''
@@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1059/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_remote_code_execution_via_postgresql.toml
+50
View File
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2022/06/20"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/20"
[rule]
author = ["Elastic"]
description = """
This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within
a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
for unauthorized access and malicious actions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Code Execution via Postgresql"
risk_score = 73
rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and
event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_shell_evasion_linux_binary.toml
+49 -42
View File
@@ -9,12 +9,12 @@ updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system
shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system
administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.
Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive
system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator,
and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via Linux Binary(s)"
@@ -100,61 +100,68 @@ severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
(
/* launch shells from unusual process */
(process.name == "capsh" and process.args == "--") or
/* launching shells from unusual parents or parent+arg combos */
(process.name in ("bash", "sh", "dash","ash") and
(process.parent.name in ("byebug","git","ftp","strace","nawk", "mawk", "awk", "gawk", "tar", "zip")) or
/* shells specified in parent args */
/* nice rule is broken in 8.2 */
(process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and
(
(process.parent.name == "nice") or
(process.parent.name == "cpulimit" and process.parent.args == "-f") or
(process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";") or
(process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/")
)
) or
/* shells specified in args */
(process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and
(process.parent.name == "crash" and process.parent.args == "-h") or
(process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog")
/* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
)
(
/* launching shell from capsh */
(process.name == "capsh" and process.args == "--") or
/* launching shells from unusual parents or parent+arg combos */
(process.name : "*sh" and (
(process.parent.name : ("byebug", "ftp", "strace", "zip", "*awk", "git", "tar") and
(
process.parent.args : "BEGIN {system(*)}" or
(process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or
(
(process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or
(process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh"))
)
)
) or
(process.name == "busybox" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") )or
(process.name == "env" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash")) or
(process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")) or
(process.parent.name in ("c89","c99", "gcc") and process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "ash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s", "/bin/ash,-s") and process.parent.args == "-wrapper") or
(process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")) or
(process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or
(process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2"))
)
'''
/* shells specified in parent args */
/* nice rule is broken in 8.2 */
(process.parent.args : "*sh" and
(
(process.parent.name == "nice") or
(process.parent.name == "cpulimit" and process.parent.args == "-f") or
(process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";" and process.parent.args == "-p") or
(process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/")
)
)
)) or
/* shells specified in args */
(process.args : "*sh" and (
(process.parent.name == "crash" and process.parent.args == "-h") or
(process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog")
/* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
)) or
(process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or
(process.name == "env" and process.args_count == 2 and process.args : "*sh") or
(process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
(process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or
(process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or
(process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or
(process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
+75
View File
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/04"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Parent Process"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
(process.name : "python*" and process.args : "-c") or
(process.name : "php*" and process.args : "-r") or
(process.name : "perl" and process.args : "-e") or
(process.name : "ruby" and process.args : ("-e", "-rsocket")) or
(process.name : "lua*" and process.args : "-e") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
(process.name : "telnet" and process.args_count >= 3) or
(process.name : "awk")) and
process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_java_revshell_linux.toml
+66
View File
@@ -0,0 +1,66 @@
[metadata]
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/04"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming
network connection. This behavior may indicate reverse shell activity via a Java application.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Java"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") ] by process.entity_id
[ process where host.os.type == "linux" and event.action == "exec" and
process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+75
View File
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/04"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by
the specified utilities that are initialized from a single process followed by a network connection attempt will be
captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Child Process"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name : "python*" and process.args : "-c") or
(process.name : "php*" and process.args : "-r") or
(process.name : "perl" and process.args : "-e") or
(process.name : "ruby" and process.args : ("-e", "-rsocket")) or
(process.name : "lua*" and process.args : "-e") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
(process.name : "telnet" and process.args_count >= 3) or
(process.name : "awk")) and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_suspicious_binary.toml
+80
View File
@@ -0,0 +1,80 @@
[metadata]
creation_date = "2023/07/05"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary
(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being
spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish
persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Binary"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
"/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
) and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not
process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
"/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
) ]
[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/04"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
activity consists of a parent-child relationship where a network event is followed by the creation of a shell process.
An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id with maxspan=1s
[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.entity_id
[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml
+73
View File
@@ -0,0 +1,73 @@
[metadata]
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/26"
[rule]
author = ["Elastic"]
description = """
Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility.
Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The
output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is
consistent with malware families such as Bundlore.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Content Extracted or Decompressed via Funzip"
references = [
"https://attack.mitre.org/software/S0482/"
]
risk_score = 47
rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and
not process.args : "/var/log/messages" and
not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and
not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Defense Evasion"
id = "TA0005"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat.technique]]
name = "Obfuscated Files or Information"
id = "T1027"
reference = "https://attack.mitre.org/techniques/T1027/"
[[rule.threat.technique]]
name = "Deobfuscate/Decode Files or Information"
id = "T1140"
reference = "https://attack.mitre.org/techniques/T1140/"
rules/linux/execution_suspicious_executable_running_system_commands.toml
+70
View File
@@ -0,0 +1,70 @@
[metadata]
creation_date = "2023/06/14"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/06/14"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of several commonly used system commands executed by a previously unknown
executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially
malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code.
Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the
system and its data from potential compromise.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious System Commands Executed by Previously Unknown Executable"
risk_score = 21
rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.category : "process" and
event.action : ("exec" or "exec_event" or "fork" or "fork_event") and
process.executable : (
/bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or
/etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or
/usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*
) and process.args : (
"whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or
"ps" or "pwd" or "ls"
) and not process.name : (
"sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or
"pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
name = "Unix Shell"
id = "T1059.004"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/linux/impact_data_encrypted_via_openssl.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2023/06/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/26"
[rule]
author = ["Elastic"]
description = """
Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window.
Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data
and may attempt to hold the organization's data to ransom for the purposes of extortion.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Data Encryption via OpenSSL Utility"
references = [
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html",
]
risk_score = 47
rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
type = "eql"
query = '''
sequence by host.id, user.name, process.parent.entity_id with maxspan=5s
[ process where host.os.type == "linux" and event.action == "exec" and
process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and
process.args == "-in" and process.args == "-out" and
process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and
/* excluding base64 encoding options and including encryption password or key params */
not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Impact"
id = "TA0040"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat.technique]]
name = "Data Encrypted for Impact"
id = "T1486"
reference = "https://attack.mitre.org/techniques/T1486/"
rules/linux/impact_potential_linux_ransomware_file_encryption.toml
+18 -9
View File
@@ -4,16 +4,15 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/20"
updated_date = "2023/06/15"
[rule]
author = ["Elastic"]
description = """
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment
(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a
ransomware attack is the mass encryption of the file system, after which a new file extension
is added to the file. This rule identifies a sequence of 50 file extension rename events
by the same process in a timespan of 1 second.
This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same
process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and
demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware
attack is the mass encryption of the file system, after which a new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -26,9 +25,19 @@ severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
type = "eql"
query = '''
sequence by host.id, process.entity_id, file.extension with maxspan=1s
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" ] with runs=50 | tail 1
sequence by host.id, process.entity_id with maxspan=1s
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" and
file.path : (
"/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
) and not
file.extension : (
"xml", "json", "conf", "dat", "gz", "info", "mod", "final",
"php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
) and not
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd"
) ] with runs=100 | tail 1
'''
rules/linux/impact_potential_linux_ransomware_note_detected.toml
+23 -22
View File
@@ -4,18 +4,16 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/20"
updated_date = "2023/06/15"
[rule]
author = ["Elastic"]
description = """
Ransomware is a type of malware that encrypts a victim's files or systems and demands payment
(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a
ransomware attack is the mass encryption of the file system, after which a new file extension
is added to the file. Generally, a ransomware note with contact details is dropped onto the
file system which can be used by the victim to contact the attacker. This rule identifies a
sequence of a mass file encryption event in conjunction with the creation of a .txt file with
a file name containing ransomware keywords executed by the same process in a 1 second timespan.
This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with
a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of
malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the
decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a
new file extension is added to the file.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -29,20 +27,23 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" ] with runs=50
[ file where host.os.type == "linux" and event.action == "creation" and
file.extension == "txt" and file.name : (
"*crypt*",
"*restore*",
"*lock*",
"*recovery*",
"*data*",
"*read*",
"*instruction*",
"*how_to*",
"*ransom*"
) ] | tail 1
[ file where host.os.type == "linux" and event.type == "change" and
event.action == "rename" and file.extension != "" and
file.path : (
"/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
) and not
file.extension : (
"xml", "json", "conf", "dat", "gz", "info", "mod", "final",
"php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
) and not
process.name : (
"dpkg", "yum", "dnf", "rpm", "dockerd"
) ] with runs=100
[ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and
file.name : (
"*crypt*", "*restore*", "*lock*", "*recovery*", "*data*",
"*read*", "*instruction*", "*how_to*", "*ransom*"
) ] | tail 1
'''
rules/linux/impact_process_kill_threshold.toml
+1 -1
View File
@@ -72,6 +72,6 @@ name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.threshold]
field = ["host.id"]
field = ["host.id", "process.executable", "user.name"]
value = 10
rules/linux/persistence_chkconfig_service_add.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/29"
integration = ["endpoint"]
[rule]
@@ -27,7 +27,7 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
(
(process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
(process.args : "*chkconfig" and process.args : "--add")
rules/linux/persistence_etc_file_creation.toml
+8 -6
View File
@@ -9,7 +9,9 @@ integration = ["endpoint"]
[rule]
author = ["Elastic"]
description = """
Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.
Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and
elevate privileges on compromised systems. File creation in these directories should not be entirely common and could
indicate a malicious binary or script installing persistence mechanisms for long term access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -28,10 +30,11 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and
file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
"*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor")
file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp"
'''
[[rule.threat]]
@@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/techniques/T1548/"
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
rules/linux/persistence_init_d_file_creation.toml
+108 -13
View File
@@ -2,24 +2,122 @@
creation_date = "2023/03/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/04/03"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Information"
query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')
"""
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications,
services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however,
through the "systemd-sysv-generator" init.d files can be converted to service unit files that run at boot.
Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot
time in order to gain persistence onto the system.
Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts
or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the
"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or
alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence
on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence Through init.d Detected"
note = """## Triage and analysis
### Investigating Potential Persistence Through init.d Detected
The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.
Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.
This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible Investigation Steps
- Investigate the file that was created or modified.
- $osquery_0
- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.
- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services and other persistence mechanisms.
- $osquery_4
### False Positive Analysis
- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account.
- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
### Related Rules
- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Delete the maliciously created service/init.d files or restore it to the original configuration.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
@@ -29,35 +127,32 @@ references = [
risk_score = 47
rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not
file.extension : "swp"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/persistence_linux_backdoor_user_creation.toml
+68 -1
View File
@@ -6,6 +6,27 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve User Accounts with a UID of 0"
query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'"
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific User"
query = "SELECT * FROM users WHERE username = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific Group"
query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
[rule]
author = ["Elastic"]
description = """
@@ -17,10 +38,56 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Backdoor User Account Creation"
note = """## Triage and analysis
### Investigating Potential Linux Backdoor User Account Creation
The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.
Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.
This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.
- $osquery_0
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_1
- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.
- $osquery_2
- Investigate whether the user is currently logged in and active.
- $osquery_3
- Identify if the account was added to privileged groups or assigned special privileges after creation.
- $osquery_4
- Investigate other alerts associated with the user/host during the past 48 hours.
### False positive analysis
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
- Delete the created account.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 47
rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/persistence_linux_group_creation.toml
+64 -1
View File
@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific Group"
query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific User"
query = "SELECT * FROM users WHERE username = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[rule]
author = ["Elastic"]
description = """
@@ -16,10 +33,56 @@ index = ["logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Group Creation"
note = """## Triage and analysis
### Investigating Linux Group Creation
The `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.
Attackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.
This rule identifies the usages of `groupadd` and `addgroup` to create new groups.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate whether the group was created succesfully.
- $osquery_0
- Identify if a user account was added to this group after creation.
- $osquery_1
- Investigate whether the user is currently logged in and active.
- $osquery_2
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate other alerts associated with the user/host during the past 48 hours.
### False positive analysis
- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
- Delete the created group and, in case an account was added to this group, delete the account.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 21
rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/persistence_linux_shell_activity_via_web_server.toml
+84 -8
View File
@@ -4,11 +4,36 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/03"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve Listening Ports"
query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports"
[[transform.osquery]]
label = "Osquery - Retrieve Open Sockets"
query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"
[[transform.osquery]]
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[[transform.osquery]]
label = "Osquery - Retrieve Process Info for Webapp User"
query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
description = """
Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.
Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor
file that can be abused to gain code execution as a mechanism for persistence.
"""
false_positives = [
"""
Network monitoring or management products may have a web server component that runs shell commands as part of normal
@@ -20,6 +45,58 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Code Execution via Web Server"
note = """## Triage and analysis
### Investigating Potential Remote Code Execution via Web Server
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.
This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.
- Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.
- $osquery_0
- $osquery_1
- Investigate the process information for malicious or uncommon processes/process trees.
- $osquery_2
- Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.
- $osquery_3
- Examine the command line to determine which commands or scripts were executed.
- Investigate other alerts associated with the user/host during the past 48 hours.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services and other persistence mechanisms.
- $osquery_4
### False positive analysis
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://pentestlab.blog/tag/web-shell/",
"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
@@ -27,10 +104,9 @@ references = [
risk_score = 73
rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event") and process.parent.executable : (
@@ -48,32 +124,32 @@ process.name : ("*sh", "python*", "perl", "php*", "tmux") and
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
rules/linux/persistence_linux_user_account_creation.toml
+63 -1
View File
@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific User"
query = "SELECT * FROM users WHERE username = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific Group"
query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[rule]
author = ["Elastic"]
description = """
@@ -16,10 +33,55 @@ index = ["logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
name = "Linux User Account Creation"
note = """## Triage and analysis
### Investigating Linux User Account Creation
The `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.
Attackers may create new accounts (both local and domain) to maintain access to victim systems.
This rule identifies the usage of `useradd` and `adduser` to create new accounts.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate whether the user was created succesfully.
- $osquery_0
- Investigate whether the user is currently logged in and active.
- $osquery_1
- Identify if the account was added to privileged groups or assigned special privileges after creation.
- $osquery_2
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate other alerts associated with the user/host during the past 48 hours.
### False positive analysis
- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
- Delete the created account.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 21
rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/persistence_linux_user_added_to_privileged_group.toml
+63 -1
View File
@@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific User"
query = "SELECT * FROM users WHERE username = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Investigate the Account Authentication Status"
query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Information for a Specific Group"
query = "SELECT * FROM groups WHERE groupname = {{group.name}}"
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[rule]
author = ["Elastic"]
description = """
@@ -17,10 +34,55 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Linux User Added to Privileged Group"
note = """## Triage and analysis
### Investigating Linux User User Added to Privileged Group
The `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.
Attackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.
This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate whether the user was succesfully added to the privileged group.
- $osquery_0
- Investigate whether the user is currently logged in and active.
- $osquery_1
- Retrieve information about the privileged group to which the user was added.
- $osquery_2
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate other alerts associated with the user/host during the past 48 hours.
### False positive analysis
- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
- Delete the account that seems to be involved in malicious activity.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 47
rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/persistence_message_of_the_day_creation.toml
+100 -11
View File
@@ -2,9 +2,45 @@
creation_date = "2023/02/28"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/04/05"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Information"
query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')
"""
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
@@ -21,41 +57,94 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence Through MOTD File Creation Detected"
note = """## Triage and analysis
### Investigating Potential Persistence Through MOTD File Creation Detected
The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.
This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible Investigation Steps
- Investigate the file that was created or modified.
- $osquery_0
- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate other alerts associated with the user/host during the past 48 hours.
- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services and other persistence mechanisms.
- $osquery_4
### Related Rules
- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447
### False positive analysis
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Delete the MOTD files or restore their original configuration.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
]
risk_score = 47
rule_id = "96d11d31-9a79-480f-8401-da28b194608f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
type = "new_terms"
query = '''
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not
file.extension : "swp"
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
value = "now-7d"
rules/linux/persistence_message_of_the_day_execution.toml
+95 -6
View File
@@ -4,8 +4,43 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/03"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Information"
query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')
"""
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
@@ -21,16 +56,72 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Process Spawned from MOTD Detected"
note = """## Triage and analysis
### Investigating Suspicious Process Spawned from MOTD Detected
The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.
This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible Investigation Steps
- Investigate the file that was created or modified from which the suspicious process was executed.
- $osquery_0
- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate other alerts associated with the user/host during the past 48 hours.
- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services, and other persistence mechanisms.
- $osquery_4
### Related Rules
- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f
### False positive analysis
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Delete the MOTD files or restore them to the original configuration.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
]
risk_score = 73
rule_id = "4ec47004-b34a-42e6-8003-376a123ea447"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and
event.type == "start" and event.action : ("exec", "exec_event") and
@@ -38,16 +129,14 @@ process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*
process.executable : ("*sh", "python*", "perl", "php*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
rules/linux/persistence_rc_script_creation.toml
+77 -3
View File
@@ -6,6 +6,23 @@ min_stack_comments = "Multiple field support in the New Terms rule type was adde
min_stack_version = "8.6.0"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Information"
query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve rc-local.service File Information"
query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
@@ -17,10 +34,68 @@ boot. Adversaries may alter rc.local to execute malicious code at start-up, and
system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*", "endgame-*"]
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence Through Run Control Detected"
note = """## Triage and analysis
### Investigating Potential Persistence Through Run Control Detected
The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.
There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.
Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible Investigation Steps
- Identify the user account that performed the action and whether it should perform this kind of action.
- Investigate the file that was created or modified.
- $osquery_0
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_1
- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.
- $osquery_2
- In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.
- If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service.
- If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.
- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services and other persistence mechanisms.
- $osquery_3
### False Positive Analysis
- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.
- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Delete the `service/rc.local` files or restore their original configuration.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
@@ -30,9 +105,8 @@ references = [
risk_score = 47
rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
type = "new_terms"
query = '''
host.os.type : "linux" and event.category : "file" and
event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
rules/linux/persistence_systemd_scheduled_timer_created.toml
+114 -7
View File
@@ -2,9 +2,59 @@
creation_date = "2023/02/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/04/05"
updated_date = "2023/06/22"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve File Information"
query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = """
SELECT * FROM file WHERE (
path LIKE '/etc/systemd/system/%' OR
path LIKE '/usr/local/lib/systemd/system/%' OR
path LIKE '/lib/systemd/system/%' OR
path LIKE '/usr/lib/systemd/system/%' OR
path LIKE '/home/user/.config/systemd/user/%'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
query = """
SELECT
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE (
path LIKE '/etc/systemd/system/%' OR
path LIKE '/usr/local/lib/systemd/system/%' OR
path LIKE '/lib/systemd/system/%' OR
path LIKE '/usr/lib/systemd/system/%' OR
path LIKE '/home/{{user.name}}/.config/systemd/user/%'
)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Running Processes by User"
query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"
[[transform.osquery]]
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
@@ -19,6 +69,64 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "New Systemd Timer Created"
note = """## Triage and analysis
### Investigating New Systemd Timer Created
Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems.
Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file.
This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible Investigation Steps
- Investigate the timer file that was created or modified.
- $osquery_0
- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.
- Search for the systemd service file named similarly to the timer that was created.
- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
- $osquery_3
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.
- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- Check if the domain is newly registered or unexpected.
- Check the reputation of the domain or IP address.
- File access, modification, and creation activities.
- Cron jobs, services and other persistence mechanisms.
- $osquery_4
### False Positive Analysis
- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.
- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account.
- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Delete the service/timer or restore its original configuration.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://opensource.com/article/20/7/systemd-timers",
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
@@ -26,10 +134,9 @@ references = [
risk_score = 21
rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or
@@ -39,26 +146,26 @@ process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm")
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.006"
name = "Systemd Timers"
reference = "https://attack.mitre.org/techniques/T1053/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["file.path", "process.name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
+2 -1
View File
@@ -28,7 +28,8 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload
event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and
event.action:(updated or renamed or rename)
'''
rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
+87
View File
@@ -0,0 +1,87 @@
[metadata]
creation_date = "2023/06/09"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/09"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
description = """
This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential
compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different
kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures,
escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to
tamper with the system's trusted state, allowing e.g. a VM Escape.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Kernel Load or Unload via Kexec Detected"
references = [
"https://www.crowdstrike.com/blog/venom-vulnerability-details/",
"https://www.makeuseof.com/what-is-venom-vulnerability/",
"https://madaidans-insecurities.github.io/guides/linux-hardening.html"
]
risk_score = 73
rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and
process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[[rule.threat.technique.subtechnique]]
id = "T1547.006"
name = "Kernel Modules and Extensions"
reference = "https://attack.mitre.org/techniques/T1547/006/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1601"
name = "Modify System Image"
reference = "https://attack.mitre.org/techniques/T1601/"
[[rule.threat.technique.subtechnique]]
id = "T1601.001"
name = "Patch System Image"
reference = "https://attack.mitre.org/techniques/T1601/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/privilege_escalation_shadow_file_read.toml
+21 -38
View File
@@ -2,8 +2,8 @@
creation_date = "2022/09/01"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/06/22"
[rule]
@@ -14,77 +14,60 @@ privileges to root, threat actors may attempt to read or dump this file in order
utilize these to move laterally undetected and access additional resources.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Shadow File Read via Command Line Utilities"
references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"]
risk_score = 47
rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
type = "new_terms"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root"
and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow"))
and not process.executable:
("/usr/bin/tar",
"/bin/tar",
"/usr/bin/gzip",
"/bin/gzip",
"/usr/bin/zip",
"/bin/zip",
"/usr/bin/stat",
"/bin/stat",
"/usr/bin/cmp",
"/bin/cmp",
"/usr/bin/sudo",
"/bin/sudo",
"/usr/bin/find",
"/bin/find",
"/usr/bin/ls",
"/bin/ls",
"/usr/bin/uniq",
"/bin/uniq",
"/usr/bin/unzip",
"/bin/unzip",
"/usr/sbin/restorecon",
"/sbin/restorecon")
and not process.parent.executable: "/bin/dracut" and
not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and
not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640")
host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and
(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not
(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not
(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.008"
name = "/etc/passwd and /etc/shadow"
reference = "https://attack.mitre.org/techniques/T1003/008/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/network/discovery_potential_network_sweep_detected.toml
+68
View File
@@ -0,0 +1,68 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/05/26"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target
network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and
weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized
access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts
from one source host to 10 or more destination hosts on commonly used network services.
'''
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Network Sweep Detected"
risk_score = 47
rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
severity = "medium"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
type = "threshold"
query = '''
destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.ip"
value = 10
rules/network/discovery_potential_port_scan_detected.toml
+69
View File
@@ -0,0 +1,69 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/05/26"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a
target system or network for open ports, allowing them to identify available services and potential vulnerabilities.
By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining
unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further
exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts
from one source host to 20 or more destination ports.
'''
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Network Scan Detected"
risk_score = 47
rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
severity = "medium"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
type = "threshold"
query = '''
destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" )
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["destination.ip", "source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.port"
value = 20
rules/network/discovery_potential_syn_port_scan_detected.toml
+69
View File
@@ -0,0 +1,69 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/05/26"
[rule]
author = ["Elastic"]
description = '''
This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a
target network for open ports by sending SYN packets to multiple ports and observing the response.
Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation,
allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its
security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic
to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.
'''
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential SYN-Based Network Scan Detected"
risk_score = 47
rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
severity = "medium"
tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
type = "threshold"
query = '''
destination.port :* and network.packets <= 2
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"
[[rule.threat.technique.subtechnique]]
id = "T1595.001"
name = "Scanning IP Blocks"
reference = "https://attack.mitre.org/techniques/T1595/001/"
[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
[rule.threshold]
field = ["destination.ip", "source.ip"]
value = 1
[[rule.threshold.cardinality]]
field = "destination.port"
value = 10
rules/windows/collection_mailbox_export_winlog.toml
+5 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -68,7 +68,10 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest"
event.category:process and host.os.type:windows and
powershell.file.script_block_text : "New-MailboxExportRequest" and
not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and
file.name:(*.psd1 or *.psm1))
'''
rules/windows/collection_posh_audio_capture.toml
+9 -3
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/17"
[rule]
author = ["Elastic"]
@@ -82,8 +82,14 @@ type = "query"
query = '''
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA)
) and not user.id : "S-1-5-18"
"Get-MicrophoneAudio" or
"WindowsAudioDevice-Powershell-Cmdlet" or
(waveInGetNumDevs and mciSendStringA)
)
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
and not user.id : "S-1-5-18"
'''
rules/windows/collection_posh_clipboard_capture.toml
+9 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -95,7 +95,15 @@ event.category:process and host.os.type:windows and
"]::GetText" or
".Paste()"
)) or powershell.file.script_block_text : "Get-Clipboard"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
and not user.id : "S-1-5-18"
and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)
and not (
file.path : *WindowsPowerShell*Modules*.ps1 and
file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
)
'''
rules/windows/collection_posh_keylogger.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -93,6 +93,9 @@ event.category:process and host.os.type:windows and
(GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL")
)
) and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
+36 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/05/02"
updated_date = "2023/05/31"
[rule]
author = ["Elastic"]
@@ -19,6 +19,40 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "First Time Seen Commonly Abused Remote Access Tool Execution"
note = """
## Triage and analysis
### Investigating First Time Seen Commonly Abused Remote Access Tool Execution
Remote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.
At the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.
This rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.
#### Possible investigation steps
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Check if the execution of the remote access tool is approved by the organization's IT department.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Contact the account owner and confirm whether they are aware of this activity.
- If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.
- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.
### False positive analysis
- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.
- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
"https://attack.mitre.org/techniques/T1219/",
@@ -26,7 +60,7 @@ references = [
risk_score = 47
rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "new_terms"
rules/windows/credential_access_dcsync_newterm_subjectuser.toml
+40 -5
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/06/22"
updated_date = "2023/06/27"
[rule]
author = ["Elastic"]
@@ -18,7 +18,44 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "FirstTime Seen Account Performing DCSync"
note = """## Setup
note = """## Triage and analysis
### Investigating FirstTime Seen Account Performing DCSync
Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.
Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.
Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.
More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).
This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.
#### Possible investigation steps
- Identify the user account that performed the action and whether it should perform this kind of action.
- Contact the account and system owners and confirm whether they are aware of this activity.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).
### False positive analysis
- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.
- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- If the entire domain or the `krbtgt` user was compromised:
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.
- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
## Setup
The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
@@ -33,8 +70,6 @@ Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
@@ -47,7 +82,7 @@ references = [
risk_score = 73
rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def"
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "new_terms"
rules/windows/credential_access_dcsync_replication_rights.toml
+3 -6
View File
@@ -30,7 +30,7 @@ Adversaries can use the DCSync technique that uses Windows Domain Controller's A
More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).
This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
#### Possible investigation steps
@@ -48,9 +48,8 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- If specific credentials were compromised:
- Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.
- If the entire domain or the `krbtgt` user were compromised:
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- If the entire domain or the `krbtgt` user was compromised:
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.
- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
@@ -71,8 +70,6 @@ Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
rules/windows/credential_access_lsass_handle_via_malseclogon.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2022/06/29"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
min_stack_version = "8.8.0"
updated_date = "2023/06/29"
[rule]
author = ["Elastic"]
rules/windows/credential_access_posh_invoke_ninjacopy.toml
+48 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/19"
[rule]
author = ["Elastic"]
@@ -17,13 +17,45 @@ index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Invoke-NinjaCopy script"
note = """## Triage and analysis
### Investigating PowerShell Invoke-NinjaCopy script
PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.
Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.
#### Possible investigation steps
- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Examine file or network events from the involved PowerShell process for suspicious behavior.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Evaluate whether the user needs to use PowerShell to complete tasks.
- Determine whether the script stores the captured data locally.
- Check if the imported function was executed and which file it targeted.
### False positive analysis
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved hosts to prevent further post-compromise behavior.
- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"
]
risk_score = 47
rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"
@@ -39,6 +71,9 @@ event.category:process and host.os.type:windows and
"Invoke-NinjaCopy"
)
and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
@@ -85,3 +120,14 @@ id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1006"
name = "Direct Volume Access"
reference = "https://attack.mitre.org/techniques/T1006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/windows/credential_access_posh_request_ticket.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -85,6 +85,9 @@ event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
KerberosRequestorSecurityToken
) and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/09/27"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
min_stack_version = "8.8.0"
updated_date = "2023/06/29"
[rule]
author = ["Elastic"]
rules/windows/credential_access_saved_creds_vault_winlog.toml
+6 -4
View File
@@ -38,12 +38,14 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s
/* 2 consecutive vault reads from same pid for web creds */
[any where event.code : "5382" and
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7"]
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7" and
not winlog.event_data.Resource : "http://localhost/"]
[any where event.code : "5382" and
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7"]
(winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and
not winlog.event_data.SubjectLogonId : "0x3e7" and
not winlog.event_data.Resource : "http://localhost/"]
'''
rules/windows/credential_access_suspicious_lsass_access_generic.toml
+20 -20
View File
@@ -2,9 +2,9 @@
creation_date = "2023/01/22"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
min_stack_version = "8.8.0"
updated_date = "2023/06/29"
[rule]
author = ["Elastic"]
@@ -30,23 +30,23 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.code == "10" and
winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
not winlog.event_data.GrantedAccess :
("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and
not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and
not process.executable :
("?:\\Windows\\System32\\lsm.exe",
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\CCM\\CcmExec.exe",
"?:\\Windows\\system32\\csrss.exe",
"?:\\Windows\\system32\\wininit.exe",
"?:\\Windows\\system32\\wbem\\wmiprvse.exe",
"?:\\Windows\\system32\\MRT.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*",
"?:\\ProgramData\\WebEx\\webex\\*",
"?:\\Windows\\LTSvc\\LTSVC.exe") and
not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*")
not winlog.event_data.GrantedAccess :
("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and
not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and
not process.executable :
("?:\\Windows\\System32\\lsm.exe",
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\CCM\\CcmExec.exe",
"?:\\Windows\\system32\\csrss.exe",
"?:\\Windows\\system32\\wininit.exe",
"?:\\Windows\\system32\\wbem\\wmiprvse.exe",
"?:\\Windows\\system32\\MRT.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*",
"?:\\ProgramData\\WebEx\\webex\\*",
"?:\\Windows\\LTSvc\\LTSVC.exe") and
not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*")
'''
rules/windows/credential_access_suspicious_lsass_access_memdump.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/07"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
min_stack_version = "8.8.0"
updated_date = "2023/06/29"
[rule]
author = ["Elastic"]
rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
+3 -3
View File
@@ -2,9 +2,9 @@
creation_date = "2021/10/14"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions."
min_stack_version = "8.8.0"
updated_date = "2023/06/29"
[rule]
author = ["Elastic"]
rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/06/30"
[transform]
[[transform.osquery]]
@@ -108,7 +108,7 @@ type = "eql"
query = '''
file where host.os.type == "windows" and event.action != "deletion" and file.path != null and
file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\Windows\\SoftwareDistribuition\\Download\\*")
file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*")
'''
rules/windows/defense_evasion_amsi_bypass_powershell.toml
+5 -3
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[transform]
[[transform.osquery]]
@@ -113,8 +113,7 @@ event.category:"process" and host.os.type:windows and
"amsi.dll" or
AntimalwareProvider or
amsiSession or
amsiContext or
"System.Management.Automation.ScriptBlock" or
amsiContext or
AmsiInitialize or
unloadobfuscated or
unloadsilent or
@@ -124,6 +123,9 @@ event.category:"process" and host.os.type:windows and
powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
)
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/defense_evasion_posh_assembly_load.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -133,7 +133,16 @@ event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"[System.Reflection.Assembly]::Load" or
"[Reflection.Assembly]::Load"
) and not user.id : "S-1-5-18"
) and not
powershell.file.script_block_text : (
("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and
"HelpDisplayStrings"
) and not
(powershell.file.script_block_text :
("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and
not file.name : "PathFunctions.ps1"
)
and not user.id : "S-1-5-18"
'''

Some files were not shown because too many files have changed in this diff Show More