diff --git a/README.md b/README.md index 771725dce..dec6f11d7 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ Detection Rules contains more than just static rule files. This repository also | folder | description | |------------------------------------------------ |------------------------------------------------------------------------------------ | | [`detection_rules/`](detection_rules) | Python module for rule parsing, validating and packaging | -| [`detection_rules/etc/`](etc) | Miscellaneous files, such as ECS and Beats schemas | +| [`etc/`](detection_rules/etc) | Miscellaneous files, such as ECS and Beats schemas | | [`kibana/`](kibana) | Python library for handling the API calls to Kibana and the Detection Engine | | [`kql/`](kql) | Python library for parsing and validating Kibana Query Language | | [`rta/`](rta) | Red Team Automation code used to emulate attacker techniques, used for rule testing | diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 01b070798..8e3a1ab0d 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -53,7 +53,7 @@ "deprecation_date": "2023/03/04", "rule_name": "Potential Shell via Web Server", "stack_version": "8.3" - }, + }, "28896382-7d4f-4d50-9b72-67091901fd26": { "deprecation_date": "2022/08/03", "rule_name": "Suspicious Process from Conhost", @@ -199,6 +199,11 @@ "rule_name": "Network Connection via Mshta", "stack_version": "7.10.0" }, + "a5f0d057-d540-44f5-924d-c6a2ae92f045": { + "deprecation_date": "2023/06/22", + "rule_name": "Potential SSH Brute Force Detected on Privileged Account", + "stack_version": "8.3" + }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "deprecation_date": "2021/04/15", "rule_name": "Hex Encoding/Decoding Activity", @@ -259,6 +264,11 @@ "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", "stack_version": "8.0" }, + "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { + "deprecation_date": "2023/07/04", + "rule_name": "Reverse Shell Created via Named Pipe", + "stack_version": "8.3" + }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "deprecation_date": "2022/07/25", "rule_name": "Unusual Process Execution - Temp", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 2584a62ed..c886f3506 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -4,7 +4,7 @@ "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "8d99a9516adb82d97ce31f13c09b7c0ac13e93f917be99097507c20c4015d17e", "type": "query", - "version": 103 + "version": 103 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", @@ -41,6 +41,13 @@ "type": "query", "version": 103 }, + "0171f283-ade7-4f87-9521-ac346c68cc9b": { + "min_stack_version": "8.3", + "rule_name": "Potential Network Scan Detected", + "sha256": "05f7ecbd3c668d2efc8876c68c247c96f2dfdfbb1d88da3feaf3127805145773", + "type": "threshold", + "version": 1 + }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", "rule_name": "Potential Cookies Theft via Browser Debugging", @@ -56,11 +63,20 @@ "version": 4 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5", "type": "eql", - "version": 105 + "version": 206 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", @@ -174,6 +190,13 @@ "type": "eql", "version": 105 }, + "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Proc Pseudo File System Enumeration", + "sha256": "245438059687e2254156b7de6af2bb96cd52b3263ad178486202c575da0a28c0", + "type": "threshold", + "version": 1 + }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", @@ -218,6 +241,13 @@ "type": "query", "version": 103 }, + "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { + "min_stack_version": "8.4", + "rule_name": "First Time Seen Removable Device", + "sha256": "6fe9605f5969f9fdbeebe376c053f8522fde40eecb05605ffc286f728c904a51", + "type": "new_terms", + "version": 1 + }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", @@ -374,11 +404,20 @@ "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720", + "type": "threshold", + "version": 106 + } + }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a", "type": "threshold", - "version": 105 + "version": 206 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", @@ -468,11 +507,20 @@ "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Suspicious Lsass Process Access", + "sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "1eb30fe67fa0abaee0506c1b7c6670c291135f1d6068853480c1a55653893c67", + "sha256": "76c9bb0e0674d8903c7f1429ef3267a939de6bd90838451429533396f7bfbbb8", "type": "eql", - "version": 4 + "version": 105 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "min_stack_version": "8.4", @@ -761,9 +809,9 @@ "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "d04dc98fb22e15f098a76788b675edc49e4bf499983adbf70710640742a10eac", + "sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd", "type": "eql", - "version": 6 + "version": 7 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", @@ -775,9 +823,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "09705ab2ee66850492028c8fd86ed71afce32f932312e1453b6886d0c9e95fa6", + "sha256": "9c653b226714edd66db9bcd63a5b61afe9f915a3d04b61c4e9641b0132981891", "type": "eql", - "version": 106 + "version": 107 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -789,9 +837,9 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "fd9c5690985b7c83672b0f08e298045ca247f83559a1a858a5b4752308f6bed9", + "sha256": "fad07b733ad42f63807d05c81d55df36306a6c09c9e59bbf960f30ffd4f3d047", "type": "eql", - "version": 104 + "version": 105 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", @@ -1026,9 +1074,9 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "f96041c4a051d8bc206063cccec4c36ba921d0212c5d724572623af7ae44c6f9", + "sha256": "181d04840190629ceac8ddaecd5d5cbd16eec9b17b497b70284b04070ad8f3a1", "type": "eql", - "version": 104 + "version": 105 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1068,9 +1116,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "d4f6e38433ee840988ea690bc217d0c04ff099fc5e183146a176b8d77ec750a8", + "sha256": "af6a4c763918f1b8c3b75c94da57150e6613f9b1c060b6253fc7dd08841c57dc", "type": "eql", - "version": 2 + "version": 3 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1106,6 +1154,13 @@ "type": "eql", "version": 108 }, + "2a692072-d78d-42f3-a48a-775677d79c4e": { + "min_stack_version": "8.3", + "rule_name": "Potential Code Execution via Postgresql", + "sha256": "4a70cd9ce5cb0245001ed19046dc9211a007e0edb87d55d452e8623cd0aac76c", + "type": "eql", + "version": 1 + }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", "previous": { @@ -1158,11 +1213,20 @@ "version": 104 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37", "type": "eql", - "version": 107 + "version": 208 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", @@ -1223,9 +1287,9 @@ "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "018cd94848cb4fe2b823573ca90addd46f7d11c6846367ce77057e16348d8181", - "type": "query", - "version": 104 + "sha256": "d53d2bac0f592f365342ebf32de4f22f12321dff80b3982f1dff5848f91a5994", + "type": "eql", + "version": 105 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", @@ -1561,11 +1625,20 @@ "version": 105 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb", + "type": "eql", + "version": 107 + } + }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "7cb2b7500b86c37fa3f51926431b8f44f6c119d48cf37e143cfa176f9facadb8", "type": "eql", - "version": 106 + "version": 207 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "min_stack_version": "8.3", @@ -1595,6 +1668,13 @@ "type": "eql", "version": 103 }, + "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Modprobe File Event", + "sha256": "9db38abed795d655cb74c1744a934743fbf685f4ae38cb42a28e35bd06eefda6", + "type": "eql", + "version": 1 + }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", @@ -1675,9 +1755,9 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "099a172ef4590e40ac82c92b5a99f53ac755bc20da2a48b0d55b05a84e594d52", + "sha256": "3338f91573d9f2de9fec741a8de8feac5f2b0486ab6c185b94f5f37b938c89fc", "type": "eql", - "version": 7 + "version": 8 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", @@ -1762,6 +1842,13 @@ "type": "eql", "version": 103 }, + "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell", + "sha256": "a712b2abc1979328e3ba6864ed807bd469b2ec80c5c84f8ae8de16d759578a67", + "type": "eql", + "version": 1 + }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", "rule_name": "Multiple Logon Failure from the same Source Address", @@ -1813,6 +1900,13 @@ "type": "query", "version": 106 }, + "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "min_stack_version": "8.6", + "rule_name": "Potential Process Injection via LD_PRELOAD Environment Variable", + "sha256": "c98c09aa04335312a0ff21b0af0e49c0218d303221038df2aab1398fb821ba5a", + "type": "eql", + "version": 1 + }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -1820,6 +1914,13 @@ "type": "query", "version": 102 }, + "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Suspicious Parent Process", + "sha256": "2ee3bc61b99c1f90573b3be75492cd5a761d90e381955929c03553fbc8504525", + "type": "eql", + "version": 1 + }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", "rule_name": "Disable Windows Firewall Rules via Netsh", @@ -1848,6 +1949,13 @@ "type": "query", "version": 6 }, + "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { + "min_stack_version": "8.3", + "rule_name": "Kernel Load or Unload via Kexec Detected", + "sha256": "c58ed6e2277c2938844908a89695fa82660c307bc9dc206f10a52e4fa077b9a0", + "type": "eql", + "version": 1 + }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", "rule_name": "AWS Management Console Brute Force of Root User Identity", @@ -1939,6 +2047,13 @@ "type": "eql", "version": 104 }, + "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { + "min_stack_version": "8.3", + "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", + "sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66", + "type": "eql", + "version": 1 + }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.3", "rule_name": "AWS GuardDuty Detector Deletion", @@ -1949,9 +2064,9 @@ "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "29790b0b2d6e35dffcb37b29b2d5cb4d22b7d35cd064e746deef921d52db47f7", + "sha256": "08e086437b7c505630da7f3f2859efadfd8944d262f1bddb19d4c71766cb0cbe", "type": "eql", - "version": 105 + "version": 106 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -2122,9 +2237,9 @@ "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "29078352bc699df5b5ecfa39cece91616abc3ce7dce5685f3018a5d36d993b1c", + "sha256": "f5c878461dc75c880cecb2f8430512a7a3b35a7636ba5436fb47b4b24e67dfb7", "type": "eql", - "version": 105 + "version": 106 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -2175,6 +2290,13 @@ "type": "eql", "version": 104 }, + "5a3d5447-31c9-409a-aed1-72f9921594fd": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Java", + "sha256": "f28586fc72625444f3b4be252b142c3e5c82e50f4adb96f5be4958dec4268f41", + "type": "eql", + "version": 1 + }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", "rule_name": "Remote SSH Login Enabled via systemsetup Command", @@ -2449,6 +2571,13 @@ "type": "eql", "version": 102 }, + "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { + "min_stack_version": "8.3", + "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", + "sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95", + "type": "eql", + "version": 1 + }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", @@ -2500,9 +2629,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "2f7bfcd5121da1321ec96a27333dcd7da86d0ec12827922338b4642913d43c93", + "sha256": "ce2fa2e1187bf642ec55d7d148eec060fa325ac951f2be420c402e1ad51270f5", "type": "threshold", - "version": 106 + "version": 107 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -2775,16 +2904,16 @@ "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "min_stack_version": "8.3", "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "92da433ebfb2177c7b51819eebbe61957a72ff556cb3ded55d826a7fc9d45913", + "sha256": "db42ea3e5c51dbabb3613e87b500b004d6b2f22db0587ca0bd388a8e546c6093", "type": "query", - "version": 104 + "version": 105 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "e52eed9c8cd5496c5c1c20e815e74393fb74456306252edb79633e1e3618cf8a", + "sha256": "e9810aa03d41a4680292d5c35a83f9c73d6d88b8ba00196480064195b316969d", "type": "eql", - "version": 108 + "version": 109 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", @@ -2841,6 +2970,13 @@ "type": "machine_learning", "version": 102 }, + "7592c127-89fb-4209-a8f6-f9944dfd7e02": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Sysctl File Event", + "sha256": "f79fc847a2fd5595520dba9ec67e770ad628d3c141e6befef5c8622a55a1e0be", + "type": "eql", + "version": 1 + }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", "rule_name": "Web Application Suspicious Activity: Unauthorized Method", @@ -2892,6 +3028,13 @@ "type": "eql", "version": 104 }, + "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Suspicious Child Process", + "sha256": "7e4a8ddc67134b3b531131acefeb839f8301364cbf5af9e59961b718342f9424", + "type": "eql", + "version": 1 + }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -2920,6 +3063,13 @@ "type": "query", "version": 102 }, + "781f8746-2180-4691-890c-4c96d11ca91d": { + "min_stack_version": "8.3", + "rule_name": "Potential Network Sweep Detected", + "sha256": "73eee30fa3997742747ac2b5413ee70cc35e4b3be16faa7c79e268a16425ba79", + "type": "threshold", + "version": 1 + }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", "previous": { @@ -3005,11 +3155,20 @@ "version": 105 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6", + "type": "eql", + "version": 106 + } + }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a", "type": "eql", - "version": 105 + "version": 206 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", @@ -3153,9 +3312,9 @@ "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.3", "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "bc53d1dbba1010446ca85bd7500870ce3bde0884a67804fc35db83bef33069ff", + "sha256": "6d16ec9af048dc6cb0ae829032dc7f010510fc01e39097bf9deb4d6476af80fd", "type": "eql", - "version": 106 + "version": 107 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.3", @@ -3333,9 +3492,9 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential SSH Password Guessing", - "sha256": "cdf197aac53bebddcf87f917dd2a37e795c2187adac142d96c83f91ae832a7de", + "sha256": "26894fa5e08e82c7990e3ae5d6fb094214df7da670d2eb5fb9d2001e7772265c", "type": "eql", - "version": 5 + "version": 6 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", @@ -3702,11 +3861,20 @@ "version": 103 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd", + "type": "eql", + "version": 106 + } + }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f", "type": "eql", - "version": 105 + "version": 206 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -3723,11 +3891,20 @@ "version": 102 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314", + "type": "eql", + "version": 5 + } + }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "96dd345dd9049c6da3264d6610314a092cfb79e65182d8d163815c1889ba3314", - "type": "eql", - "version": 5 + "sha256": "ebd07f4f1c4c808413c8280170d1a229c9ff5ea9c42f0a11e064e4861965f364", + "type": "new_terms", + "version": 105 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", @@ -3889,9 +4066,9 @@ "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", "rule_name": "A scheduled task was updated", - "sha256": "2c9704e304d8d996f137257b6854e679631bcfa0dd302aca47f47cedd91892e7", + "sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645", "type": "eql", - "version": 7 + "version": 8 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", @@ -4143,9 +4320,9 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", - "sha256": "bd0ca2d04964ce7d36b017a81d9d9967a362419827fa1d636cffd34764f0f18c", + "sha256": "02da666124b0d072a5ce43d2b0eb1c1f0687435a6b1ec47726d9e42905b9d60f", "type": "eql", - "version": 106 + "version": 107 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", @@ -4411,9 +4588,9 @@ "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Elastic Agent Service Terminated", - "sha256": "b7aa857260502cd30f5f4c65ccbd873479e0bfcdac74dfd364e78fb9a5f9678f", + "sha256": "1a60d9adba57832adff8082d1c2b375560d5b1f7eb2111020afb019fff3fd6ef", "type": "eql", - "version": 102 + "version": 103 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", @@ -4474,9 +4651,9 @@ "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "7409022ed873888e3837126b2a4d3fd6cf87c2f90b31a796c97f198df51975d1", + "sha256": "883163582e8b2af740c8ae7d6dc898796d4d0bdefec3f0faced835054500fe87", "type": "eql", - "version": 104 + "version": 105 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", @@ -4541,6 +4718,13 @@ "type": "query", "version": 102 }, + "bbaa96b9-f36c-4898-ace2-581acb00a409": { + "min_stack_version": "8.3", + "rule_name": "Potential SYN-Based Network Scan Detected", + "sha256": "e3fa0192e162477e7c0432616bc59efd5cbfa01e8b3a70e8fe7cc9977b7a7249", + "type": "threshold", + "version": 1 + }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", @@ -4628,9 +4812,9 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "6bb5a10732152506d86df3c43cf30d8e3f6698d13860c82c5864203686602712", + "sha256": "aabc80f5592be42389ac49d447b4cf6c02f92531bfcb96e9b3e8d42ab0d221d0", "type": "eql", - "version": 105 + "version": 106 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", @@ -4880,9 +5064,9 @@ "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "c6d72fb392daa85873c96a647cbfa1b511bdddefb7c25e62a6064cc1ddcbd775", + "sha256": "96682e9b9640c83fb004fefdfadefa0499ffaee2f18b224c2a919c0be924579c", "type": "eql", - "version": 2 + "version": 3 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", @@ -4926,11 +5110,20 @@ "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750", + "type": "eql", + "version": 107 + } + }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "773477fde04d636ba32e12c52480ac912e81cc69b6e5fe6612f0a40e65434750", - "type": "eql", - "version": 107 + "sha256": "d76db814f07cf25a8e686f720a3a92b86455db0f2209dc2a12e1f31d5444e096", + "type": "new_terms", + "version": 207 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -5266,9 +5459,9 @@ "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "44072cf7c1f20e90e72ec90b43418d1ae4535fd6acbc5ddfdeb17f2f9daf9b42", + "sha256": "e6b3ef23ab08030ed69f89c0ff395b3e4735d6f053e32e2f5a39b4c522c192e7", "type": "eql", - "version": 105 + "version": 106 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -5360,6 +5553,13 @@ "type": "query", "version": 101 }, + "dc0b7782-0df0-47ff-8337-db0d678bdb66": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", + "sha256": "e4ae2073950e301288dd33fc960e36f0d7873b7529fc979ac34d8ffa4af1c11c", + "type": "eql", + "version": 1 + }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", @@ -5739,6 +5939,13 @@ "type": "eql", "version": 3 }, + "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { + "min_stack_version": "8.4", + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "137b5aa97aad2f77517958f46e0bce9edb04a546f1eb2dbb6a8f63fba22b69f8", + "type": "new_terms", + "version": 1 + }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.3", "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -5817,9 +6024,9 @@ "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "ce171e10dd4f2e9f29d53f86a45ef18f13d60934ea0b9dfab548e7e78bdb4327", + "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", - "version": 103 + "version": 104 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", @@ -6047,9 +6254,9 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "2cc5999ea9bca1224596aa743a6061b9a66467314d2e17783d03f46fc9ebeb4a", + "sha256": "5f0a33718711359e7a2af2f2e56e9f79233e0193ae37a5b8b39e5095584c8993", "type": "eql", - "version": 105 + "version": 106 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", @@ -6085,6 +6292,13 @@ "type": "eql", "version": 100 }, + "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Data Encryption via OpenSSL Utility", + "sha256": "188ba26251c3df6a20ccd67b2ae9b96139fb4d5c1c68e891399e9d99feba842f", + "type": "eql", + "version": 1 + }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", @@ -6214,16 +6428,23 @@ "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "0a85e5b12d3f9d504e42f5657e237eabe3b1f46221056c4468a09afa97701f11", + "sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a", "type": "eql", - "version": 2 + "version": 3 + }, + "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Suspicious Binary", + "sha256": "ee207a0dc12424d42a280ae67bb24d949dc4a3b91c0a3c709e0051db52d4165a", + "type": "eql", + "version": 1 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "70f6b702304d14b1e4db662b3b6f9eec193223953e69772dbc78cff2ae73d186", + "sha256": "bc08d2c4be90293d885bf62c71e887f88c297e8f8366a937fb61e30784ee0a8f", "type": "eql", - "version": 4 + "version": 5 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 7f7f85898..00c97d61a 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -698,6 +698,9 @@ class EQLRuleData(QueryRuleData): """EQL rules are a special case of query rules.""" type: Literal["eql"] language: Literal["eql"] + timestamp_field: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0"))) + event_category_override: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0"))) + tiebreaker_field: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.0"))) def convert_relative_delta(self, lookback: str) -> int: now = len("now") diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py index 079a6edee..08606d02c 100644 --- a/detection_rules/rule_validators.py +++ b/detection_rules/rule_validators.py @@ -5,7 +5,8 @@ """Validation logic for rules containing queries.""" from functools import cached_property -from typing import List, Optional, Union +from typing import List, Optional, Union, Tuple +from semver import Version import eql @@ -13,7 +14,9 @@ import kql from . import ecs, endgame from .integrations import get_integration_schema_data, load_integrations_manifests -from .rule import QueryRuleData, QueryValidator, RuleMeta, TOMLRuleContents +from .misc import load_current_package_version +from .schemas import get_stack_schemas +from .rule import QueryRuleData, QueryValidator, RuleMeta, TOMLRuleContents, EQLRuleData EQL_ERROR_TYPES = Union[eql.EqlCompileError, eql.EqlError, @@ -194,6 +197,12 @@ class EQLValidator(QueryValidator): if validation_checks["stack"] and validation_checks["integrations"]: raise ValueError(f"Error in both stack and integrations checks: {validation_checks}") + rule_type_config_fields, rule_type_config_validation_failed = \ + self.validate_rule_type_configurations(data, meta) + if rule_type_config_validation_failed: + raise ValueError(f"""Rule type config values are not ECS compliant, check these values: + {rule_type_config_fields}""") + def validate_stack_combos(self, data: QueryRuleData, meta: RuleMeta) -> Union[EQL_ERROR_TYPES, None, ValueError]: """Validate the query against ECS and beats schemas across stack combinations.""" for stack_version, mapping in meta.get_validation_stack_versions().items(): @@ -308,6 +317,29 @@ class EQLValidator(QueryValidator): print(err_trailer) return exc + def validate_rule_type_configurations(self, data: EQLRuleData, meta: RuleMeta) -> \ + Tuple[List[Optional[str]], bool]: + """Validate EQL rule type configurations.""" + if data.timestamp_field or data.event_category_override or data.tiebreaker_field: + + # get a list of rule type configuration fields + # Get a list of rule type configuration fields + fields = ["timestamp_field", "event_category_override", "tiebreaker_field"] + set_fields = list(filter(None, (data.get(field) for field in fields))) + + # get stack_version and ECS schema + min_stack_version = meta.get("min_stack_version") + if min_stack_version is None: + min_stack_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) + ecs_version = get_stack_schemas()[str(min_stack_version)]['ecs'] + schema = ecs.get_schema(ecs_version) + + # return a list of rule type config field values and whether any are not in the schema + return (set_fields, any([f not in schema.keys() for f in set_fields])) + else: + # if rule type fields are not set, return an empty list and False + return [], False + def extract_error_field(exc: Union[eql.EqlParseError, kql.KqlParseError]) -> Optional[str]: """Extract the field name from an EQL or KQL parse error.""" diff --git a/rta/bin/netcon_exec_chain.elf b/rta/bin/netcon_exec_chain.elf new file mode 100755 index 000000000..4f7aee1a9 Binary files /dev/null and b/rta/bin/netcon_exec_chain.elf differ diff --git a/rta/exec_java_revshell_linux.py b/rta/exec_java_revshell_linux.py new file mode 100644 index 000000000..6afc5de9c --- /dev/null +++ b/rta/exec_java_revshell_linux.py @@ -0,0 +1,47 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + +metadata = RtaMetadata( + uuid="e0db3577-879e-4ac2-bd58-691e1343afca", + platforms=["linux"], + endpoint=[{"rule_name": "Potential Linux Reverse Shell via Java", "rule_id": "e0db3577-879e-4ac2-bd58-691e1343afca"}], + siem=[], + techniques=["T1059", "T1071"], +) + +@common.requires_os(metadata.platforms) + +def main(): + common.log("Creating a fake Java executable..") + masquerade = "/bin/java" + source = common.get_path("bin", "netcon_exec_chain.elf") + common.copy_file(source, masquerade) + + common.log("Granting execute permissions...") + common.execute(['chmod', '+x', masquerade]) + + commands = [ + masquerade, + 'chain', + '-h', + '127.0.0.1', + '-p', + '1337', + '-c', + '-jar' + ] + + common.log("Simulating reverse shell activity..") + common.execute([*commands], timeout=5) + common.log("Reverse shell simulation successful!") + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("RTA completed!") + +if __name__ == "__main__": + exit(main()) diff --git a/rta/kernel_module_removal_execution.py b/rta/kernel_module_removal_execution.py new file mode 100644 index 000000000..a0076f31d --- /dev/null +++ b/rta/kernel_module_removal_execution.py @@ -0,0 +1,46 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from pathlib import Path +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="900e8599-1d5f-4522-9aed-6eab82de2bad", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Kernel Module Removal", + "rule_id": "e80ba5e4-b6c6-4534-87b0-8c0f4e1d97e7", + } + ], + siem=[ + { + "rule_name": "Kernel Module Removal", + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" + } + ], + techniques=["T1562", "T1562.001", "T1547", "T1547.006"], +) + + +@common.requires_os(metadata.platforms) +def main(): + + masquerade = "/tmp/rmmod" + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + + # Execute command + common.log("Launching fake commands to remove Kernel Module") + common.execute([masquerade], timeout=10, kill=True) + + # cleanup + common.remove_file(masquerade) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/mimipenguin_execution.py b/rta/mimipenguin_execution.py new file mode 100644 index 000000000..d96859b90 --- /dev/null +++ b/rta/mimipenguin_execution.py @@ -0,0 +1,50 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from pathlib import Path +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="e5a98cc9-1f15-4d14-baf2-96bebb932ae9", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", + "rule_id": "508226f9-4030-4e86-86cd-63321b7164bc", + } + ], + siem=[ + { + "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", + "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" + } + ], + techniques=["T1212", "T1003", "T1003.007"], +) + + +@common.requires_os(metadata.platforms) +def main(): + + masquerade = "/tmp/ps" + masquerade2 = "/tmp/strings" + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + common.copy_file(source,masquerade2) + + # Execute command + common.log("Launching fake commands to dump credential via proc") + common.execute([masquerade, "-eo", "pid", "command"], timeout=10, kill=True) + common.execute([masquerade2, "/tmp/test"], timeout=10, kill=True) + + # cleanup + common.remove_file(masquerade) + common.remove_file(masquerade2) + + +if __name__ == "__main__": + exit(main()) diff --git a/rta/src/netcon_exec_chain.go b/rta/src/netcon_exec_chain.go new file mode 100644 index 000000000..bf878a086 --- /dev/null +++ b/rta/src/netcon_exec_chain.go @@ -0,0 +1,97 @@ +package main + +import ( + "flag" + "fmt" + "net" + "os" + "os/exec" + "time" +) + +func main() { + netconCommand := flag.NewFlagSet("netcon", flag.ExitOnError) + netconIP := netconCommand.String("h", "", "IP address") + netconPort := netconCommand.Int("p", 0, "Port") + + execCommand := flag.NewFlagSet("exec", flag.ExitOnError) + execCmd := execCommand.String("c", "", "Shell command") + + chainCommand := flag.NewFlagSet("chain", flag.ExitOnError) + chainIP := chainCommand.String("h", "", "IP address") + chainPort := chainCommand.Int("p", 0, "Port") + chainCmd := chainCommand.String("c", "", "Shell command") + + if len(os.Args) < 2 { + fmt.Println("Usage:") + fmt.Println(" netcon -h -p ") + fmt.Println(" exec -c ") + fmt.Println(" chain -h -p -c ") + os.Exit(1) + } + + switch os.Args[1] { + case "netcon": + netconCommand.Parse(os.Args[2:]) + if *netconIP == "" || *netconPort == 0 { + fmt.Println("Missing IP address or port") + netconCommand.PrintDefaults() + os.Exit(1) + } + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *netconIP, *netconPort)) + if err != nil { + fmt.Println("Failed to connect:", err) + os.Exit(1) + } + conn.Close() + + case "exec": + execCommand.Parse(os.Args[2:]) + if *execCmd == "" { + fmt.Println("Missing command") + execCommand.PrintDefaults() + os.Exit(1) + } + cmd := exec.Command("/bin/sh", "-c", *execCmd) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err := cmd.Run() + if err != nil { + fmt.Println("Failed to execute command:", err) + os.Exit(1) + } + + case "chain": + chainCommand.Parse(os.Args[2:]) + if *chainIP == "" || *chainPort == 0 || *chainCmd == "" { + fmt.Println("Missing IP address, port, or command") + chainCommand.PrintDefaults() + os.Exit(1) + } + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *chainIP, *chainPort)) + if err != nil { + fmt.Println("Failed to connect:", err) + } else { + conn.Close() + } + + time.Sleep(10 * time.Millisecond) + + cmd := exec.Command("/bin/sh", "-c", *chainCmd) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + if err != nil { + fmt.Println("Failed to execute command:", err) + os.Exit(1) + } + + default: + fmt.Println("Invalid command") + fmt.Println("Usage:") + fmt.Println(" netcon -h -p ") + fmt.Println(" exec -c ") + fmt.Println(" chain -h -p -c ") + os.Exit(1) + } +} \ No newline at end of file diff --git a/rta/unshadow_execution.py b/rta/unshadow_execution.py new file mode 100644 index 000000000..3b5c4f89e --- /dev/null +++ b/rta/unshadow_execution.py @@ -0,0 +1,46 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from pathlib import Path +from . import common +from . import RtaMetadata + + +metadata = RtaMetadata( + uuid="c5cecd6d-a7c4-4e3b-970d-6ca5cfc5c662", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Potential Linux Credential Dumping via Unshadow", + "rule_id": "05f95917-6942-4aab-a904-37c6db906503", + } + ], + siem=[ + { + "rule_name": "Potential Linux Credential Dumping via Unshadow", + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" + } + ], + techniques=["T1003", "T1003.008"], +) + + +@common.requires_os(metadata.platforms) +def main(): + + masquerade = "/tmp/unshadow" + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + + # Execute command + common.log("Launching fake commands to dump credential via unshadow") + common.execute([masquerade, "/etc/passwd /etc/shadow"], timeout=10, kill=True) + + # cleanup + common.remove_file(masquerade) + + +if __name__ == "__main__": + exit(main()) diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml similarity index 98% rename from rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml rename to rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml index b8b9f94ac..35dc491fb 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml +++ b/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2022/09/14" +deprecation_date = "2023/06/22" integration = ["system"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/06/22" @@ -52,6 +53,7 @@ rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access"] type = "eql" + query = ''' sequence by host.id, source.ip with maxspan=10s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and @@ -82,8 +84,6 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +95,10 @@ id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml similarity index 91% rename from rules/linux/execution_reverse_shell_via_named_pipe.toml rename to rules/_deprecated/execution_reverse_shell_via_named_pipe.toml index 4211ea5c1..b22c99d19 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2022/11/14" +deprecation_date = "2023/07/04" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/04" [rule] author = ["Elastic"] @@ -34,7 +35,13 @@ references = [ risk_score = 47 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", +] type = "eql" query = ''' diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/_deprecated/threat_intel_filebeat8x.toml similarity index 91% rename from rules/cross-platform/threat_intel_filebeat8x.toml rename to rules/_deprecated/threat_intel_filebeat8x.toml index 479ff7286..3399cc01b 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/_deprecated/threat_intel_filebeat8x.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2021/11/24" -maturity = "production" -updated_date = "2023/06/27" +deprecation_date = "2023/07/03" +maturity = "deprecated" min_stack_comments = "Updating the rule for 8.5+ users before deprecation." min_stack_version = "8.5.0" +updated_date = "2023/07/03" [rule] author = ["Elastic"] description = """ -This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. - -This rule was deprecated. See the Setup section for more information and alternative rules. +This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or +network observations. This rule was deprecated. See the Setup section for more information and alternative rules. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] @@ -59,126 +59,134 @@ This rule was deprecated in the 8.8 version of the Elastic Stack for performance * Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60 * Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3 """ -references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"] +references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"] risk_score = 99 rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +threat_index = ["filebeat-8*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.module:threatintel and (threat.indicator.file.hash.*:* or +threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or +threat.indicator.url.full:*) +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" -threat_index = ["filebeat-8*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.module:threatintel and - (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or - threat.indicator.registry.path:* or threat.indicator.url.full:*) -''' - -query = """ +query = ''' file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.module" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threatintel" [rule.threat_filters.query.match_phrase] "event.module" = "threatintel" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.pe.imphash" type = "mapping" value = "threat.indicator.file.pe.imphash" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" + + diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/_deprecated/threat_intel_fleet_integrations.toml similarity index 92% rename from rules/cross-platform/threat_intel_fleet_integrations.toml rename to rules/_deprecated/threat_intel_fleet_integrations.toml index 37a1b7412..d47c52bee 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/_deprecated/threat_intel_fleet_integrations.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2021/04/21" -maturity = "production" -updated_date = "2023/06/27" +deprecation_date = "2023/07/03" +maturity = "deprecated" min_stack_comments = "Updating the rule for 8.5+ users before deprecation." min_stack_version = "8.5.0" +updated_date = "2023/07/03" [rule] author = ["Elastic"] description = """ -This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. - -This rule was deprecated. See the Setup section for more information and alternative rules. +This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network +observations. This rule was deprecated. See the Setup section for more information and alternative rules. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] @@ -59,126 +59,134 @@ This rule was deprecated in the 8.8 version of the Elastic Stack for performance * Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60 * Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3 """ -references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"] +references = ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"] risk_score = 99 rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0" severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] +threat_index = ["logs-ti_*"] +threat_indicator_path = "threat.indicator" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and event.dataset:ti_* and (threat.indicator.file.hash.*:* or +threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or +threat.indicator.url.full:*) +""" timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" -threat_index = ["logs-ti_*"] -threat_indicator_path = "threat.indicator" -threat_language = "kuery" - -threat_query = ''' -@timestamp >= "now-30d/d" and event.dataset:ti_* and - (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or - threat.indicator.registry.path:* or threat.indicator.url.full:*) -''' - -query = """ +query = ''' file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:* -""" +''' [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.dataset" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "ti_*" [rule.threat_filters.query.match_phrase] "event.dataset" = "ti_*" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.category" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.kind" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" - [[rule.threat_filters]] + [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] -negate = false disabled = false -type = "phrase" key = "event.type" +negate = false +type = "phrase" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" - [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threat.indicator.file.hash.md5" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threat.indicator.file.hash.sha1" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "file.pe.imphash" type = "mapping" value = "threat.indicator.file.pe.imphash" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threat.indicator.ip" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threat.indicator.url.full" [[rule.threat_mapping]] + [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threat.indicator.registry.path" + + diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index ec1d86aa7..49a518262 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -44,6 +44,9 @@ or process.args : "elastic-agent" and process.args : "stop") or + /* pkill , killall used to stop Elastic Agent on Linux */ + ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent") + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index f3c38d4e5..749b24a85 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/06/27" +updated_date = "2023/07/03" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -97,3 +97,15 @@ value = "threat.indicator.url.full" field = "url.domain" type = "mapping" value = "threat.indicator.url.domain" + +[[rule.threat_mapping]] +[[rule.threat_mapping.entries]] +field = "source.domain" +type = "mapping" +value = "threat.indicator.url.domain" + +[[rule.threat_mapping]] +[[rule.threat_mapping.entries]] +field = "destination.domain" +type = "mapping" +value = "threat.indicator.url.domain" diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml new file mode 100644 index 000000000..4311d3809 --- /dev/null +++ b/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/06/28" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/28" + +[rule] +author = ["Elastic"] +description = "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment." +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "AWS Credentials Searched For Inside A Container" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +references = [ + "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", +] +risk_score = 47 +rule_id = "d0b0f3ed-0b37-44bf-adee-e8cb7de92767" +severity = "medium" +timestamp_override = "event.ingested" +type = "eql" + +query = """ +process where event.module == "cloud_defend" and + event.type == "start" and + +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ +(process.name : ("grep", "egrep", "fgrep", "find", "locate", "mlocate") or process.args : ("grep", "egrep", "fgrep", "find", "locate", "mlocate")) and +process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*", "*access_key*", "*.aws/credentials*") +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0006" + reference = "https://attack.mitre.org/tactics/TA0006/" + name = "Credential Access" + + [[rule.threat.technique]] + id = "T1552" + reference = "https://attack.mitre.org/techniques/T1552/" + name = "Unsecured Credentials" + + [[rule.threat.technique.subtechnique]] + id = "T1552.001" + reference = "https://attack.mitre.org/techniques/T1552/001/" + name = "Credentials In Files" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml new file mode 100644 index 000000000..76e8dad4c --- /dev/null +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/06/06" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/06/23" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. +The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying +the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and +has been used to evade detection of malicious processes in container environments. +""" +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Modification of Dynamic Linker Preload Shared Object Inside A Container" +references = [ + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", + "https://sysdig.com/blog/threat-detection-aws-cloud-containers/", +] +risk_score = 73 +rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee" +severity = "high" +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 13bdc463d..6da38310c 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -4,7 +4,8 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/06/23" + [rule] author = ["Elastic"] @@ -41,7 +42,7 @@ query = ''' event.dataset:kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:allow and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) - and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz) + and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*) ''' diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml new file mode 100644 index 000000000..df836da58 --- /dev/null +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/07/18" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +integration = ["o365"] +updated_date = "2023/07/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last +10 days. +""" +false_positives = ["User using a new mail client."] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious Microsoft 365 Mail Access by ClientAppId" +note = """## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" +severity = "medium" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["o365.audit.ClientAppId", "user.id"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" \ No newline at end of file diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 03817bb34..b3f833246 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -16,7 +16,44 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempted Bypass of Okta MFA" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempted Bypass of Okta MFA + +Multi-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application. + +This rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network. + +#### Possible investigation steps + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the bypass attempt. +- Check the `okta.outcome.result` field to confirm the MFA bypass attempt. +- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the MFA bypass attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt. + +### False positive analysis + +- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's MFA settings to ensure they are correctly configured. + +### Response and remediation + +- If unauthorized access is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 4df61eaf1..f03de066b 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -18,7 +18,41 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempts to Brute Force an Okta User Account" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempts to Brute Force an Okta User Account + +Brute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted. + +This rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted. +- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout. +- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events. +- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack. +- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious. +- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity. +- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field. + +### False positive analysis: + +- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout. +- Ensure there are no known network or application issues that might cause these events. + +### Response and remediation: + +- Alert the user and your IT department immediately. +- If unauthorized access is confirmed, initiate your incident response process. +- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue. +- Require the affected user to change their password. +- If the attack is ongoing, consider blocking the IP address initiating the brute force attack. +- Implement account lockout policies to limit the impact of brute force attacks. +- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication. +- Check if the compromised account was used to access or alter any sensitive data or systems. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 225994793..7c51046db 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -17,7 +17,41 @@ index = ["filebeat-*", "logs-okta*"] language = "eql" license = "Elastic License v2" name = "Potential Abuse of Repeated MFA Push Notifications" -note = """## Setup +note = """## Triage and analysis + +### Investigating Potential Abuse of Repeated MFA Push Notifications + +Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access. + +This rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy. + +#### Possible investigation steps: + +- Identify the user who received the MFA notifications by reviewing the `user.email` field. +- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login. +- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action. +- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account. +- Check if the MFA requests and the successful login occurred during the user's regular activity hours. +- Look for any other suspicious activity on the account around the same time. +- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack. + +### False positive analysis: + +- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them. +- Check if there are known issues with the MFA system causing false denials. + +### Response and remediation: + +- If unauthorized access is confirmed, initiate your incident response process. +- Alert the user and your IT department immediately. +- If possible, isolate the user's account until the issue is resolved. +- Investigate the source of the unauthorized access. +- If the account was accessed by an unauthorized party, determine the actions they took after logging in. +- Consider enhancing your MFA policy to prevent such incidents in the future. +- Encourage users to report any unexpected MFA notifications immediately. +- Review and update your incident response plans and security policies based on the findings from the incident. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 3dc76ee54..a70670387 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Okta Brute Force or Password Spraying Attack" -note = """## Setup +note = """## Triage and analysis + +### Investigating Okta Brute Force or Password Spraying Attack + +This rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords. + +#### Possible investigation steps: + +- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated. +- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts. +- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack. +- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool? +- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location? +- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins? + +### False positive analysis: + +- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive. +- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive. + +### Response and remediation: + +- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level. +- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords. +- Enhance monitoring on the affected user accounts for any suspicious activity. +- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts. +- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts. +- Review and update your security policies based on the findings from the incident. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ea45a609f..59b6b5f77 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -19,7 +19,35 @@ interval = "15m" language = "kuery" license = "Elastic License v2" name = "Okta User Session Impersonation" -note = """## Setup +note = """## Triage and analysis + +### Investigating Okta User Session Impersonation + +The detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected. + +#### Possible investigation steps + +- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields. +- Review the `event.action` field to confirm the initiation of the impersonation event. +- Check the `event.time` field to understand the timing of the event. +- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated. +- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event. + +### False positive analysis + +- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts. +- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators. + +### Response and remediation + +- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately. +- Reset the user session and invalidate any active sessions related to the impersonated user. +- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques. +- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data. +- Review and update your security policies to prevent such incidents in the future. +- Implement additional monitoring and logging of Okta events to improve visibility of user actions. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 9387f463f..82aa64827 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Network Zone" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Deactivate an Okta Network Zone + +The Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses. + +#### Possible investigation steps + +- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields. +- Examine the `event.action` field to confirm the deactivation of a network zone. +- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated. +- Investigate the `event.time` field to understand when the event happened. +- Review the actor's activities before and after the event to understand the context of this event. + +### False positive analysis + +- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive. +- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone. +- Verify the actor's actions with any known planned changes or maintenance activities. + +### Response and remediation + +- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change. +- Re-enable the deactivated network zone if it was deactivated without authorization. +- Review and update the privileges of the actor who initiated the deactivation. +- Check the security policies and procedures to identify any gaps and update them as necessary. +- Implement additional monitoring and logging of Okta events to improve visibility of user actions. +- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index c11e2e89f..3c39f5e83 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,36 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Network Zone" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Delete an Okta Network Zone + +Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses. + +#### Possible investigation steps: + +- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields. +- Examine the `event.action` field to confirm the deletion of a network zone. +- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted. +- Review the `event.time` field to understand when the event happened. +- Check the actor's activities before and after the event to understand the context of this event. + +### False positive analysis: + +- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive. +- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone. +- Cross-verify the actor's actions with any known planned changes or maintenance activities. + +### Response and remediation: + +- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change. +- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one. +- Review and update the privileges of the actor who initiated the deletion. +- Identify any gaps in the security policies and procedures and update them as necessary. +- Implement additional monitoring and logging of Okta events to improve visibility of user actions. +- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index a15b64710..4e3d4479b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -23,7 +23,44 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Deactivate an Okta Policy + +Okta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities. + +This rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt. +- Check the `okta.outcome.result` field to confirm the policy deactivation attempt. +- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the policy deactivation attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized policy deactivation is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 26d30c1f7..5517b1b40 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -22,7 +22,44 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy Rule" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Deactivate an Okta Policy Rule + +Identity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities. + +This rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt. +- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt. +- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the policy rule deactivation attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized policy rule deactivation is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index ce46bec20..f1ca3dd89 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,44 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Delete an Okta Policy + +Okta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities. + +This rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the deletion attempt. +- Check the `okta.outcome.result` field to confirm the policy deletion attempt. +- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the policy deletion attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized policy deletion is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index cdab4bd3a..d03380c64 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -22,7 +22,44 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy Rule" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Delete an Okta Policy Rule + +Okta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities. + +This rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the deletion attempt. +- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt. +- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the policy rule deletion attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized policy rule deletion is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 5966835be..1cac48ec5 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,42 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Network Zone" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Modify an Okta Network Zone + +The modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the modification attempt. +- Check the `okta.outcome.result` field to confirm the network zone modification attempt. +- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the modification attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized modification is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 6a9d8ca61..03a4d292a 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -23,7 +23,33 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Modify an Okta Policy + +Modifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation. + +#### Possible investigation steps: +- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`. +- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`. +- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`. +- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt. +- Check if there have been other similar modification attempts in a short time span from the same actor or IP address. + +### False positive analysis: +- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations. +- Check if the actor associated with the event has legitimate rights to modify the Okta policies. +- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive. + +### Response and remediation: +- If unauthorized modification is confirmed, initiate the incident response process. +- Lock the actor's account and enforce password change as an immediate response. +- Reset MFA tokens for the actor and enforce re-enrollment, if applicable. +- Review any other actions taken by the actor to assess the overall impact. +- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques. +- Consider a security review of your Okta policies and rules to ensure they follow security best practices. + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 547fe176b..559417274 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -22,7 +22,42 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy Rule" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Modify an Okta Policy Rule + +The modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls. + +#### Possible investigation steps: + +- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert. +- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. +- Examine the `okta.outcome.reason` field for additional context around the modification attempt. +- Check the `okta.outcome.result` field to confirm the rule modification attempt. +- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`). +- Check for successful logins immediately following the modification attempt. +- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt. + +### False positive analysis: + +- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity. +- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive. +- Verify the actor's administrative rights to ensure they are correctly configured. + +### Response and remediation: + +- If unauthorized modification is confirmed, initiate the incident response process. +- Immediately lock the affected actor account and require a password change. +- Consider resetting MFA tokens for the actor and require re-enrollment. +- Check if the compromised account was used to access or alter any sensitive data or systems. +- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques. +- Assess the criticality of affected services and servers. +- Work with your IT team to minimize the impact on users and maintain business continuity. +- If multiple accounts are affected, consider a broader reset or audit of MFA tokens. +- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 1cf95e7b3..2cd034832 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -25,9 +25,36 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "High Number of Okta User Password Reset or Unlock Attempts" -note = """## Setup +note = """## Triage and analysis + +### Investigating High Number of Okta User Password Reset or Unlock Attempts + +This rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account. + +#### Possible investigation steps: +- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose. +- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`. +- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts. +- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts. +- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack. +- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity. + +### False positive analysis: +- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts. +- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive. + +### Response and remediation: +- If unauthorized attempts are confirmed, initiate the incident response process. +- Reset the user's password and enforce MFA re-enrollment, if applicable. +- Block the IP address or device used in the attempts, if they appear suspicious. +- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques. +- Consider a security review of your Okta policies and rules to ensure they follow security best practices. + +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 74ccb7d6d..a2267b536 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -22,9 +22,35 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Revoke Okta API Token" -note = """## Setup +note = """## Triage and analysis + +### Investigating Attempt to Revoke Okta API Token + +The rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities. + +#### Possible investigation steps: +- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose. +- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields. +- Verify if the API token revocation was authorized or part of some planned activity. +- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed. +- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason. +- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity. + +### False positive analysis: +- It might be a false positive if the action was part of a planned activity or was performed by an authorized person. + +### Response and remediation: +- If unauthorized revocation attempts are confirmed, initiate the incident response process. +- Block the IP address or device used in the attempts, if they appear suspicious. +- Reset the user's password and enforce MFA re-enrollment, if applicable. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact. + +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 887f506c9..7887f83d5 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -22,9 +22,38 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" -note = """## Setup +note = """ +## Triage and analysis -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +### Investigating Attempt to Deactivate an Okta Application + +This rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization. + +#### Possible investigation steps: +- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields. +- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields. +- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed. +- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field. +- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + +### False positive analysis: +- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure. +- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity. + +### Response and remediation: +- If unauthorized deactivation attempts are confirmed, initiate the incident response process. +- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields. +- Reset the user's password and enforce MFA re-enrollment, if applicable. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact. + +## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 8f502951b..f8aa06253 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -46,9 +46,9 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and - not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] [process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and - not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] ''' diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_bruteforce_password_guessing.toml index daf89c10b..4a35864cc 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_bruteforce_password_guessing.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=3s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and - event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2 + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index b2c88a612..a5c038256 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/21" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 3 + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 ''' diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 58959516d..fae0e736c 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ sequence by host.id, source.ip, user.name with maxspan=5s "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", - "::1", "FE80::/10", "FF00::/8") ] with runs = 3 + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 ''' diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml new file mode 100644 index 000000000..efa147837 --- /dev/null +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different +combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can +include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and +potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting +a specific user account from the same source address and within a short time interval, followed by a successful +authentication. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Successful Linux FTP Brute Force Attack Detected" +note = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +``` +For this detection rule no additional audit rules are required to be added to the integration. +``` +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +risk_score = 47 +rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +type = "eql" +query = ''' +sequence by host.id, auditd.data.addr, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml new file mode 100644 index 000000000..47419a0c1 --- /dev/null +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -0,0 +1,73 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and +password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact +can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks +within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising +the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a +specific user account within a short time interval, followed by a successful authentication. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Successful Linux RDP Brute Force Attack Detected" +note = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +``` +For this detection rule no additional audit rules are required to be added to the integration. +``` +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +risk_score = 47 +rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +type = "eql" +query = ''' +sequence by host.id, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index b0e4c43c8..a4228f87e 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/28" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ detection by security controls. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" name = "Attempt to Disable Syslog Service" risk_score = 47 @@ -22,14 +22,14 @@ rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.category:process and host.os.type:linux and event.type:(start or process_started) and - ((process.name:service and process.args:stop) or - (process.name:chkconfig and process.args:off) or - (process.name:systemctl and process.args:(disable or stop or kill))) - and process.args:(syslog or rsyslog or "syslog-ng") +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and + ( (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + ) and process.args in ("syslog", "rsyslog", "syslog-ng") ''' diff --git a/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml new file mode 100644 index 000000000..d826f2c2e --- /dev/null +++ b/rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml @@ -0,0 +1,101 @@ +[metadata] +creation_date = "2023/06/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "The linux.advanced.capture_env_vars option for Elastic Defend has been introduced in 8.6.0" +min_stack_version = "8.6.0" +updated_date = "2023/06/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to +inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious +shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common +and will potentially indicate malicious or suspicious behavior. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Process Injection via LD_PRELOAD Environment Variable" +note = """## Setup +By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. +``` +Kibana --> +Fleet --> +Agent policies --> +Agent policy for which the option should be enabled --> +Name of the Elastic Defend integration --> +Show advanced settings --> +linux.advanced.capture_env_vars +``` +`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +""" +references = ["https://www.getambassador.io/resources/code-injection-on-linux-and-macos"] +risk_score = 47 +rule_id = "4973e46b-a663-41b8-a875-ced16dda2bb0" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and + event.action == "exec" and + process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +name = "Hijack Execution Flow" +id = "T1574" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +name = "Dynamic Linker Hijacking" +id = "T1574.006" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Persistence" +id = "TA0003" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat.technique]] +name = "Hijack Execution Flow" +id = "T1574" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +name = "Dynamic Linker Hijacking" +id = "T1574.006" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Privilege Escalation" +id = "TA0004" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat.technique]] +name = "Hijack Execution Flow" +id = "T1574" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +name = "Dynamic Linker Hijacking" +id = "T1574.006" +reference = "https://attack.mitre.org/techniques/T1574/006/" diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules/linux/discovery_linux_modprobe_enumeration.toml new file mode 100644 index 000000000..23615e264 --- /dev/null +++ b/rules/linux/discovery_linux_modprobe_enumeration.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/06/08" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized +access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or +unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities +within the system. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Modprobe File Event" +note = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-w /etc/modprobe.conf -p wa -k modprobe +-w /etc/modprobe.d -p wa -k modprobe +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +risk_score = 21 +rule_id = "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd" +severity = "low" +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and +file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not +(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_linux_sysctl_enumeration.toml b/rules/linux/discovery_linux_sysctl_enumeration.toml new file mode 100644 index 000000000..8ba133148 --- /dev/null +++ b/rules/linux/discovery_linux_sysctl_enumeration.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/06/08" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential +unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl +configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Sysctl File Event" +note = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: + +``` +-w /etc/sysctl.conf -p wa -k sysctl +-w /etc/sysctl.d -p wa -k sysctl +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +risk_score = 21 +rule_id = "7592c127-89fb-4209-a8f6-f9944dfd7e02" +severity = "low" +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and +file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/discovery_suspicious_proc_enumeration.toml b/rules/linux/discovery_suspicious_proc_enumeration.toml new file mode 100644 index 000000000..317694ca4 --- /dev/null +++ b/rules/linux/discovery_suspicious_proc_enumeration.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/06/09" +integration = ["auditd_manager"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/09" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal +activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about +running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious Proc Pseudo File System Enumeration" +note = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-w /proc/ -p r -k audit_proc +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +""" +risk_score = 47 +rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd" +severity = "medium" +tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[rule.threshold] +field = ["host.id", "process.pid", "process.name"] +value = 1 +[[rule.threshold.cardinality]] +field = "file.path" +value = 25 diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index bb03cdf41..9d5a699de 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,8 +2,8 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" updated_date = "2023/06/22" [rule] @@ -22,7 +22,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "Abnormal Process ID or Lock File Created" note = """## Triage and analysis @@ -76,56 +76,34 @@ rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -/* add file size filters when data is available */ -file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and - file.path regex~ """(/var/run|/run)/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and - - /* handle common legitimate files */ - - not file.name in ( - "auditd.pid", - "python*", - "apport.pid", - "apport.lock", - "kworker*", - "gdm3.pid", - "sshd.pid", - "acpid.pid", - "unattended-upgrades.lock", - "unattended-upgrades.pid", - "cmd.pid", - "yum.pid", - "netconfig.pid", - "docker.pid", - "atd.pid", - "lfd.pid", - "atop.pid", - "nginx.pid", - "dhclient.pid", - "smtpd.pid", - "stunnel.pid", - "1_waagent.pid", - "crond.pid", - "cron.reboot", - "sssd.pid", - "tomcat8.pid" - ) +host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and +user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not +file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or +"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or +"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or +"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable", "file.path"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 42fb7d710..6f914f6ae 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/06/29" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -13,24 +13,25 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a interactive tty after obtaining initial access to a host. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" +timestamp_override = "event.ingested" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] -timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" -timeline_title = "Comprehensive Process Timeline" type = "eql" query = ''' -sequence with maxspan=1m - [process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and - process.executable : "/bin/*sh" - ] by process.parent.entity_id +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and + process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 + and process.parent.args_count == 1) +) ''' @@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml new file mode 100644 index 000000000..f74edf64e --- /dev/null +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2022/06/20" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/20" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within +a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a +public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection +attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities +for unauthorized access and malicious actions. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Code Execution via Postgresql" +risk_score = 73 +rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e" +severity = "high" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and +event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 8fd34ab54..d556a0488 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -9,12 +9,12 @@ updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ -Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system -shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system -administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access. +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive +system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, +and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Linux Restricted Shell Breakout via Linux Binary(s)" @@ -100,61 +100,68 @@ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - ( - /* launch shells from unusual process */ - (process.name == "capsh" and process.args == "--") or - - /* launching shells from unusual parents or parent+arg combos */ - (process.name in ("bash", "sh", "dash","ash") and - (process.parent.name in ("byebug","git","ftp","strace","nawk", "mawk", "awk", "gawk", "tar", "zip")) or - - /* shells specified in parent args */ - /* nice rule is broken in 8.2 */ - (process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and - ( - (process.parent.name == "nice") or - (process.parent.name == "cpulimit" and process.parent.args == "-f") or - (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";") or - (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") - ) - ) or - - /* shells specified in args */ - (process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") and - (process.parent.name == "crash" and process.parent.args == "-h") or - (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") - /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ - ) +( + /* launching shell from capsh */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name : "*sh" and ( + (process.parent.name : ("byebug", "ftp", "strace", "zip", "*awk", "git", "tar") and + ( + process.parent.args : "BEGIN {system(*)}" or + (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or + ( + (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or + (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh")) + ) + ) ) or - (process.name == "busybox" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash") )or - (process.name == "env" and process.args_count == 2 and process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/ash", "sh", "bash", "dash", "ash")) or - (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")) or - (process.parent.name in ("c89","c99", "gcc") and process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "ash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s", "/bin/ash,-s") and process.parent.args == "-wrapper") or - (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args in ("spawn /bin/sh;interact", "spawn /bin/bash;interact", "spawn /bin/dash;interact", "spawn sh;interact", "spawn bash;interact", "spawn dash;interact")) or - (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or - (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")) - ) -''' + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args : "*sh" and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";" and process.parent.args == "-p") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) + )) or + /* shells specified in args */ + (process.args : "*sh" and ( + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + + )) or + (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or + (process.name == "env" and process.args_count == 2 and process.args : "*sh") or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or + (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2") +) +''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml new file mode 100644 index 000000000..7157e032d --- /dev/null +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells +spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured +through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Parent Process" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml new file mode 100644 index 000000000..1e493963c --- /dev/null +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming +network connection. This behavior may indicate reverse shell activity via a Java application. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Java" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id with maxspan=5s +[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") ] by process.entity_id +[ process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml new file mode 100644 index 000000000..36e1a70ef --- /dev/null +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be +captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Child Process" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml new file mode 100644 index 000000000..01d25194a --- /dev/null +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2023/07/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/05" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary +(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Binary" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not + process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml new file mode 100644 index 000000000..dfaaba0a5 --- /dev/null +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This +activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. +An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id with maxspan=1s +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.entity_id +[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml new file mode 100644 index 000000000..c58686034 --- /dev/null +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -0,0 +1,73 @@ +[metadata] +creation_date = "2023/06/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. +Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The +output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is +consistent with malware families such as Bundlore. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Content Extracted or Decompressed via Funzip" +references = [ + "https://attack.mitre.org/software/S0482/" +] +risk_score = 47 +rule_id = "dc0b7782-0df0-47ff-8337-db0d678bdb66" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and +not process.args : "/var/log/messages" and +not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and +not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +name = "Unix Shell" +id = "T1059.004" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Defense Evasion" +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +name = "Obfuscated Files or Information" +id = "T1027" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique]] +name = "Deobfuscate/Decode Files or Information" +id = "T1140" +reference = "https://attack.mitre.org/techniques/T1140/" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml new file mode 100644 index 000000000..fcf4350fe --- /dev/null +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2023/06/14" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2023/06/14" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of several commonly used system commands executed by a previously unknown +executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. +Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the +system and its data from potential compromise. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious System Commands Executed by Previously Unknown Executable" +risk_score = 21 +rule_id = "e9001ee6-2d00-4d2f-849e-b8b1fb05234c" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type : "linux" and event.category : "process" and +event.action : ("exec" or "exec_event" or "fork" or "fork_event") and +process.executable : ( + /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or + /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or + /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* + ) and process.args : ( + "whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or + "ps" or "pwd" or "ls" + ) and not process.name : ( + "sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or + "pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +name = "Command and Scripting Interpreter" +id = "T1059" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +name = "Unix Shell" +id = "T1059.004" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml new file mode 100644 index 000000000..bed7ab281 --- /dev/null +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/06/26" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. +Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data +and may attempt to hold the organization's data to ransom for the purposes of extortion. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Data Encryption via OpenSSL Utility" +references = [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html", +] +risk_score = 47 +rule_id = "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] +type = "eql" +query = ''' +sequence by host.id, user.name, process.parent.entity_id with maxspan=5s + [ process where host.os.type == "linux" and event.action == "exec" and + process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and + process.args == "-in" and process.args == "-out" and + process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and + /* excluding base64 encoding options and including encryption password or key params */ + not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Impact" +id = "TA0040" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +name = "Data Encrypted for Impact" +id = "T1486" +reference = "https://attack.mitre.org/techniques/T1486/" diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 7975cf5b6..5a9a2eee0 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,16 +4,15 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/15" [rule] author = ["Elastic"] description = """ -Ransomware is a type of malware that encrypts a victim's files or systems and demands payment -(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a -ransomware attack is the mass encryption of the file system, after which a new file extension -is added to the file. This rule identifies a sequence of 50 file extension rename events -by the same process in a timespan of 1 second. +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same +process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and +demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware +attack is the mass encryption of the file system, after which a new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -26,9 +25,19 @@ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' -sequence by host.id, process.entity_id, file.extension with maxspan=1s -[ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" ] with runs=50 | tail 1 +sequence by host.id, process.entity_id with maxspan=1s + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 | tail 1 ''' diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 08d5d5650..b7fa43d55 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,18 +4,16 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/15" [rule] author = ["Elastic"] description = """ -Ransomware is a type of malware that encrypts a victim's files or systems and demands payment -(usually in cryptocurrency) in exchange for the decryption key. One important indicator of a -ransomware attack is the mass encryption of the file system, after which a new file extension -is added to the file. Generally, a ransomware note with contact details is dropped onto the -file system which can be used by the victim to contact the attacker. This rule identifies a -sequence of a mass file encryption event in conjunction with the creation of a .txt file with -a file name containing ransomware keywords executed by the same process in a 1 second timespan. +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with +a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of +malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the +decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a +new file extension is added to the file. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -29,20 +27,23 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s - [ file where host.os.type == "linux" and event.type == "change" and - event.action == "rename" and file.extension != "" ] with runs=50 - [ file where host.os.type == "linux" and event.action == "creation" and - file.extension == "txt" and file.name : ( - "*crypt*", - "*restore*", - "*lock*", - "*recovery*", - "*data*", - "*read*", - "*instruction*", - "*how_to*", - "*ransom*" - ) ] | tail 1 + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 + [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and + file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", + "*read*", "*instruction*", "*how_to*", "*ransom*" + ) ] | tail 1 ''' diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 74760ae93..1bce29dd2 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -72,6 +72,6 @@ name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" [rule.threshold] -field = ["host.id"] +field = ["host.id", "process.executable", "user.name"] value = 10 diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 664bfd5c4..e362093a8 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/29" integration = ["endpoint"] [rule] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index ae918434f..ebb4a34e8 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -9,7 +9,9 @@ integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and +elevate privileges on compromised systems. File creation in these directories should not be entirely common and could +indicate a malicious binary or script installing persistence mechanisms for long term access. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -28,10 +30,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and -file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") -and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic", - "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor") +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp" ''' [[rule.threat]] @@ -107,4 +110,3 @@ reference = "https://attack.mitre.org/techniques/T1548/" id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 2474e83c7..fc169c77d 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,24 +2,122 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/04/03" +updated_date = "2023/06/22" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve File Information" +query = "SELECT * FROM file WHERE path = {{file.path}}" + +[[transform.osquery]] +label = "Osquery - Retrieve File Listing Information" +query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')" + +[[transform.osquery]] +label = "Osquery - Retrieve Additional File Listing Information" +query = """ +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%') +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] description = """ -Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, -services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, -through the "systemd-sysv-generator" init.d files can be converted to service unit files that run at boot. -Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot -time in order to gain persistence onto the system. +Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts +or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the +"systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or +alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence +on the system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Persistence Through init.d Detected" +note = """## Triage and analysis + +### Investigating Potential Persistence Through init.d Detected + +The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. + +Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory. + +This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - $osquery_0 +- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered. + - $osquery_1 + - $osquery_2 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - $osquery_4 + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the maliciously created service/init.d files or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", @@ -29,35 +127,32 @@ references = [ risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 4029160d4..aec5ae835 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -6,6 +6,27 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve User Accounts with a UID of 0" +query = "SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific Group" +query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + [rule] author = ["Elastic"] description = """ @@ -17,10 +38,56 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Backdoor User Account Creation" +note = """## Triage and analysis + +### Investigating Potential Linux Backdoor User Account Creation + +The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems. + +Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account. + +This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps +- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes. + - $osquery_0 +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - $osquery_4 +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 092130a43..0224db2bb 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific Group" +query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] description = """ @@ -16,10 +33,56 @@ index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Linux Group Creation" +note = """## Triage and analysis + +### Investigating Linux Group Creation + +The `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems. + +Attackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group. + +This rule identifies the usages of `groupadd` and `addgroup` to create new groups. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate whether the group was created succesfully. + - $osquery_0 +- Identify if a user account was added to this group after creation. + - $osquery_1 +- Investigate whether the user is currently logged in and active. + - $osquery_2 +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created group and, in case an account was added to this group, delete the account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e7608af01..931fe892e 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,11 +4,36 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/03" +updated_date = "2023/06/22" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info for Webapp User" +query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] -description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access." +description = """ +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor +file that can be abused to gain code execution as a mechanism for persistence. +""" false_positives = [ """ Network monitoring or management products may have a web server component that runs shell commands as part of normal @@ -20,6 +45,58 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" +note = """## Triage and analysis + +### Investigating Potential Remote Code Execution via Web Server + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. + +This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration. + - $osquery_0 + - $osquery_1 + - Investigate the process information for malicious or uncommon processes/process trees. + - $osquery_2 + - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes. + - $osquery_3 +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - $osquery_4 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", @@ -27,10 +104,9 @@ references = [ risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( @@ -48,32 +124,32 @@ process.name : ("*sh", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 75695484b..abe8e7232 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific Group" +query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] description = """ @@ -16,10 +33,55 @@ index = ["logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Linux User Account Creation" +note = """## Triage and analysis + +### Investigating Linux User Account Creation + +The `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems. + +Attackers may create new accounts (both local and domain) to maintain access to victim systems. + +This rule identifies the usage of `useradd` and `adduser` to create new accounts. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate whether the user was created succesfully. + - $osquery_0 +- Investigate whether the user is currently logged in and active. + - $osquery_1 +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - $osquery_2 +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 190c0c6e9..a57913f2d 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -6,6 +6,23 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific Group" +query = "SELECT * FROM groups WHERE groupname = {{group.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + [rule] author = ["Elastic"] description = """ @@ -17,10 +34,55 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Linux User Added to Privileged Group" +note = """## Triage and analysis + +### Investigating Linux User User Added to Privileged Group + +The `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems. + +Attackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain. + +This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate whether the user was succesfully added to the privileged group. + - $osquery_0 +- Investigate whether the user is currently logged in and active. + - $osquery_1 +- Retrieve information about the privileged group to which the user was added. + - $osquery_2 +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the account that seems to be involved in malicious activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 47 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 5b6867233..ae03e4a8d 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,9 +2,45 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/04/05" +updated_date = "2023/06/22" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve File Information" +query = "SELECT * FROM file WHERE path = {{file.path}}" + +[[transform.osquery]] +label = "Osquery - Retrieve File Listing Information" +query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')" + +[[transform.osquery]] +label = "Osquery - Retrieve Additional File Listing Information" +query = """ +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] @@ -21,41 +57,94 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Persistence Through MOTD File Creation Detected" +note = """## Triage and analysis + +### Investigating Potential Persistence Through MOTD File Creation Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges. + +This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - $osquery_0 +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - $osquery_1 + - $osquery_2 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - $osquery_4 + +### Related Rules + +- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] type = "new_terms" - query = ''' host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not -file.extension : "swp" +process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" \ No newline at end of file +value = "now-7d" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 28c2e3524..356b0bc88 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,8 +4,43 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/03" +updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve File Information" +query = "SELECT * FROM file WHERE path = {{file.path}}" + +[[transform.osquery]] +label = "Osquery - Retrieve File Listing Information" +query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')" + +[[transform.osquery]] +label = "Osquery - Retrieve Additional File Listing Information" +query = """ +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%') +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] description = """ @@ -21,16 +56,72 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Spawned from MOTD Detected" +note = """## Triage and analysis + +### Investigating Suspicious Process Spawned from MOTD Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable. + +This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified from which the suspicious process was executed. + - $osquery_0 +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - $osquery_1 + - $osquery_2 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services, and other persistence mechanisms. + - $osquery_4 + +### Related Rules + +- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore them to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" ] risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -38,16 +129,14 @@ process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/* process.executable : ("*sh", "python*", "perl", "php*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 3e007149e..2e7ed3f10 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -6,6 +6,23 @@ min_stack_comments = "Multiple field support in the New Terms rule type was adde min_stack_version = "8.6.0" updated_date = "2023/06/22" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve File Information" +query = "SELECT * FROM file WHERE path = {{file.path}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve rc-local.service File Information" +query = "SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" + [rule] author = ["Elastic"] description = """ @@ -17,10 +34,68 @@ boot. Adversaries may alter rc.local to execute malicious code at start-up, and system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "auditbeat-*", "endgame-*"] +index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Potential Persistence Through Run Control Detected" +note = """## Triage and analysis + +### Investigating Potential Persistence Through Run Control Detected + +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. + +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. + +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible Investigation Steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the file that was created or modified. + - $osquery_0 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_1 +- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`. + - $osquery_2 + - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. + - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service. + - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - $osquery_3 + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the `service/rc.local` files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", @@ -30,9 +105,8 @@ references = [ risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] type = "new_terms" - query = ''' host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 6bac9f0b1..20e17bd1d 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,9 +2,59 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/04/05" +updated_date = "2023/06/22" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve File Information" +query = "SELECT * FROM file WHERE path = {{file.path}}" + +[[transform.osquery]] +label = "Osquery - Retrieve File Listing Information" +query = """ +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Additional File Listing Information" +query = """ +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Crontab Information" +query = "SELECT * FROM crontab" [rule] author = ["Elastic"] @@ -19,6 +69,64 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "New Systemd Timer Created" +note = """## Triage and analysis + +### Investigating New Systemd Timer Created + +Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. + +Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. + +This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible Investigation Steps + +- Investigate the timer file that was created or modified. + - $osquery_0 +- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`. +- Search for the systemd service file named similarly to the timer that was created. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - $osquery_1 + - $osquery_2 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_3 +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - $osquery_4 + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" @@ -26,10 +134,9 @@ references = [ risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or @@ -39,26 +146,26 @@ process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.006" name = "Systemd Timers" reference = "https://attack.mitre.org/techniques/T1053/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 74a69ddc2..200fe3b6a 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -28,7 +28,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload +event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and +event.action:(updated or renamed or rename) ''' diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml new file mode 100644 index 000000000..5f49255c9 --- /dev/null +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2023/06/09" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/09" +integration = ["endpoint"] + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Kernel Load or Unload via Kexec Detected" +references = [ + "https://www.crowdstrike.com/blog/venom-vulnerability-details/", + "https://www.makeuseof.com/what-is-venom-vulnerability/", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" +] +risk_score = 73 +rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" +severity = "high" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and +process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1601" +name = "Modify System Image" +reference = "https://attack.mitre.org/techniques/T1601/" + +[[rule.threat.technique.subtechnique]] +id = "T1601.001" +name = "Patch System Image" +reference = "https://attack.mitre.org/techniques/T1601/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ca073a26c..91d526783 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -2,8 +2,8 @@ creation_date = "2022/09/01" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" updated_date = "2023/06/22" [rule] @@ -14,77 +14,60 @@ privileges to root, threat actors may attempt to read or dump this file in order utilize these to move laterally undetected and access additional resources. """ from = "now-9m" -index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "eql" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "kuery" license = "Elastic License v2" name = "Potential Shadow File Read via Command Line Utilities" references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and user.name == "root" - and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) - and not process.executable: - ("/usr/bin/tar", - "/bin/tar", - "/usr/bin/gzip", - "/bin/gzip", - "/usr/bin/zip", - "/bin/zip", - "/usr/bin/stat", - "/bin/stat", - "/usr/bin/cmp", - "/bin/cmp", - "/usr/bin/sudo", - "/bin/sudo", - "/usr/bin/find", - "/bin/find", - "/usr/bin/ls", - "/bin/ls", - "/usr/bin/uniq", - "/bin/uniq", - "/usr/bin/unzip", - "/bin/unzip", - "/usr/sbin/restorecon", - "/sbin/restorecon") - and not process.parent.executable: "/bin/dracut" and - not (process.executable : ("/bin/chown", "/usr/bin/chown") and process.args : "root:shadow") and - not (process.executable : ("/bin/chmod", "/usr/bin/chmod") and process.args : "640") +host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not +(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not +(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.008" name = "/etc/passwd and /etc/shadow" reference = "https://attack.mitre.org/techniques/T1003/008/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[rule.new_terms] +field = "new_terms_fields" +value = ["process.command_line"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml new file mode 100644 index 000000000..0ea2ed720 --- /dev/null +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -0,0 +1,68 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target +network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and +weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized +access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts +from one source host to 10 or more destination hosts on commonly used network services. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Network Sweep Detected" + +risk_score = 47 +rule_id = "781f8746-2180-4691-890c-4c96d11ca91d" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.ip" +value = 10 diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml new file mode 100644 index 000000000..f90c7fc80 --- /dev/null +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -0,0 +1,69 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a +target system or network for open ports, allowing them to identify available services and potential vulnerabilities. +By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining +unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further +exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts +from one source host to 20 or more destination ports. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential Network Scan Detected" + +risk_score = 47 +rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["destination.ip", "source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.port" +value = 20 diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml new file mode 100644 index 000000000..d95732050 --- /dev/null +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -0,0 +1,69 @@ +[metadata] +creation_date = "2023/05/17" +integration = ["endpoint", "network_traffic"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/05/26" + +[rule] +author = ["Elastic"] +description = ''' +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a +target network for open ports by sending SYN packets to multiple ports and observing the response. +Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, +allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its +security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic +to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. +''' +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential SYN-Based Network Scan Detected" + +risk_score = 47 +rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409" +severity = "medium" +tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"] +type = "threshold" + +query = ''' +destination.port :* and network.packets <= 2 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[rule.threshold] +field = ["destination.ip", "source.ip"] +value = 1 +[[rule.threshold.cardinality]] +field = "destination.port" +value = 10 diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 1e76a5df5..2cf82c64e 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -68,7 +68,10 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest" +event.category:process and host.os.type:windows and + powershell.file.script_block_text : "New-MailboxExportRequest" and + not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and + file.name:(*.psd1 or *.psm1)) ''' diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 77cc89346..c2c92900e 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/17" [rule] author = ["Elastic"] @@ -82,8 +82,14 @@ type = "query" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( - "Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA) - ) and not user.id : "S-1-5-18" + "Get-MicrophoneAudio" or + "WindowsAudioDevice-Powershell-Cmdlet" or + (waveInGetNumDevs and mciSendStringA) + ) + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) + and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index 561f20119..f7e9a2d0e 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -95,7 +95,15 @@ event.category:process and host.os.type:windows and "]::GetText" or ".Paste()" )) or powershell.file.script_block_text : "Get-Clipboard" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) and not user.id : "S-1-5-18" + and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1) + and not ( + file.path : *WindowsPowerShell*Modules*.ps1 and + file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1") + ) ''' diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 59b2c862b..8752a6e53 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -93,6 +93,9 @@ event.category:process and host.os.type:windows and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL") ) ) and not user.id : "S-1-5-18" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) ''' diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index fd25c5601..bbc6e20ee 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/05/02" +updated_date = "2023/05/31" [rule] author = ["Elastic"] @@ -19,6 +19,40 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "First Time Seen Commonly Abused Remote Access Tool Execution" +note = """ +## Triage and analysis + +### Investigating First Time Seen Commonly Abused Remote Access Tool Execution + +Remote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems. + +At the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc. + +This rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Check if the execution of the remote access tool is approved by the organization's IT department. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. + - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering. +- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + +### False positive analysis + +- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program. +- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", @@ -26,7 +60,7 @@ references = [ risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index c6905e711..a95ac0fbf 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" [rule] author = ["Elastic"] @@ -18,7 +18,44 @@ index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "FirstTime Seen Account Performing DCSync" -note = """## Setup +note = """## Triage and analysis + +### Investigating FirstTime Seen Account Performing DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -33,8 +70,6 @@ Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ``` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", @@ -47,7 +82,7 @@ references = [ risk_score = 73 rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index d08f6dbdf..547ae022d 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -30,7 +30,7 @@ Adversaries can use the DCSync technique that uses Windows Domain Controller's A More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). -This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). +This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). #### Possible investigation steps @@ -48,9 +48,8 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc ### Response and remediation - Initiate the incident response process based on the outcome of the triage. -- If specific credentials were compromised: - - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services. -- If the entire domain or the `krbtgt` user were compromised: +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. - Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. @@ -71,8 +70,6 @@ Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ``` - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 7e6f7f201..8deda4fd0 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -2,9 +2,9 @@ creation_date = "2022/06/29" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index a83fadcde..5129c36b4 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/19" [rule] author = ["Elastic"] @@ -17,13 +17,45 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Invoke-NinjaCopy script" +note = """## Triage and analysis + +### Investigating PowerShell Invoke-NinjaCopy script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code. + +Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Check if the imported function was executed and which file it targeted. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" ] risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -39,6 +71,9 @@ event.category:process and host.os.type:windows and "Invoke-NinjaCopy" ) and not user.id : "S-1-5-18" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) ''' @@ -85,3 +120,14 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index bdf15d76a..6e562f4ff 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -85,6 +85,9 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( KerberosRequestorSecurityToken ) and not user.id : "S-1-5-18" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) ''' diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index b7e3e8eff..523ae4f9f 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -2,9 +2,9 @@ creation_date = "2021/09/27" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index f24551a31..be0e6de82 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -38,12 +38,14 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s /* 2 consecutive vault reads from same pid for web creds */ [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7"] + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" or winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7"] + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index a4773ecc5..1ceea773f 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,9 +2,9 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] @@ -30,23 +30,23 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and - not winlog.event_data.GrantedAccess : - ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and - not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and - not process.executable : - ("?:\\Windows\\System32\\lsm.exe", - "?:\\Program Files\\*", - "?:\\Program Files (x86)\\*", - "?:\\Windows\\System32\\msiexec.exe", - "?:\\Windows\\CCM\\CcmExec.exe", - "?:\\Windows\\system32\\csrss.exe", - "?:\\Windows\\system32\\wininit.exe", - "?:\\Windows\\system32\\wbem\\wmiprvse.exe", - "?:\\Windows\\system32\\MRT.exe", - "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", - "?:\\ProgramData\\WebEx\\webex\\*", - "?:\\Windows\\LTSvc\\LTSVC.exe") and - not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") + not winlog.event_data.GrantedAccess : + ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and + not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and + not process.executable : + ("?:\\Windows\\System32\\lsm.exe", + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\system32\\csrss.exe", + "?:\\Windows\\system32\\wininit.exe", + "?:\\Windows\\system32\\wbem\\wmiprvse.exe", + "?:\\Windows\\system32\\MRT.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", + "?:\\ProgramData\\WebEx\\webex\\*", + "?:\\Windows\\LTSvc\\LTSVC.exe") and + not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index c60078310..ad11964ba 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/07" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 252fcb7d5..ff5beb14c 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index d590c4994..852ec7c1f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [transform] [[transform.osquery]] @@ -108,7 +108,7 @@ type = "eql" query = ''' file where host.os.type == "windows" and event.action != "deletion" and file.path != null and - file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\Windows\\SoftwareDistribuition\\Download\\*") + file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*") ''' diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 344c16ae7..af1c745a6 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/07/05" [transform] [[transform.osquery]] @@ -113,8 +113,7 @@ event.category:"process" and host.os.type:windows and "amsi.dll" or AntimalwareProvider or amsiSession or - amsiContext or - "System.Management.Automation.ScriptBlock" or + amsiContext or AmsiInitialize or unloadobfuscated or unloadsilent or @@ -124,6 +123,9 @@ event.category:"process" and host.os.type:windows and powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") ) + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) ''' diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 72d10874a..d64c30893 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/05" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -133,7 +133,16 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "[System.Reflection.Assembly]::Load" or "[Reflection.Assembly]::Load" - ) and not user.id : "S-1-5-18" + ) and not + powershell.file.script_block_text : ( + ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and + "HelpDisplayStrings" + ) and not + (powershell.file.script_block_text : + ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and + not file.name : "PathFunctions.ps1" + ) + and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 55734b836..89c00a98a 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/05" [transform] [[transform.osquery]] @@ -141,6 +141,7 @@ event.category:process and host.os.type:windows and ) and not (user.id:("S-1-5-18" or "S-1-5-19") and file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") + and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 3105b0e97..b0dad0dc8 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/28" +updated_date = "2023/06/29" [rule] author = ["Elastic"] @@ -18,10 +18,40 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Encryption/Decryption Capabilities" +note = """## Triage and analysis + +### Investigating PowerShell Script with Encryption/Decryption Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code. + +PowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. + +### False positive analysis + +- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index fd05cf2be..94e9b6a02 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,32 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" [rule] author = ["Elastic"] @@ -19,10 +44,58 @@ index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Process Termination followed by Deletion" +note = """## Triage and analysis + +### Investigating Process Termination followed by Deletion + +This rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - $osquery_0 + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - $osquery_1 + - $osquery_2 + - $osquery_3 + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +### False positive analysis + +- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index c6323fc66..354ce45bf 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" [rule] author = ["Elastic"] @@ -19,16 +19,40 @@ license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" note = """## Triage and analysis -Verify process details such as command line and hash to confirm this activity legitimacy. +### Investigating Potential Secure File Deletion via SDelete Utility -## Setup +SDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts. -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +This rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity. + +### False positive analysis + +- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize cases involving critical servers and users. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If important data was encrypted, deleted, or modified, activate your data recovery plan. + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 520772cac..35c16deba 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2023/06/22" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [transform] [[transform.osquery]] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index ef7146827..1b9369ee6 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,9 +2,9 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.3.0" -updated_date = "2023/06/22" +min_stack_comments = "Build time field required_fields divergence between -8.7 and 8.8+ due to schema versions." +min_stack_version = "8.8.0" +updated_date = "2023/06/29" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index fa95bc2b6..fbac450af 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -4,27 +4,95 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" [rule] author = ["Elastic"] description = """ -Identifies process execution with a single character process name. This is often done by adversaries while staging or -executing temporary utilities. +Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Suspicious Execution - Short Program Name" -note = """## Setup +name = "Renamed Utility Executed with Short Program Name" +note = """## Triage and analysis -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +### Investigating Renamed Utility Executed with Short Program Name + +Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - $osquery_0 + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - $osquery_1 + - $osquery_2 + - $osquery_3 + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index db40ed158..931175003 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -17,14 +43,61 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" -note = """## Setup +note = """## Triage and analysis -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +### Investigating Suspicious Zoom Child Process + +By examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation. + +This rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line of the child process to determine which commands or scripts were executed. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - $osquery_0 + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - $osquery_1 + - $osquery_2 + - $osquery_3 + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 955bbd649..7b1707906 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -130,8 +130,14 @@ file where host.os.type == "windows" and event.type == "creation" and "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files(x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE") and + "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE") and file.extension : ( diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index a669619f5..65f595a8f 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" [rule] author = ["Elastic"] @@ -21,9 +21,36 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via DSQUERY.EXE" -note = """## Setup +note = """## Triage and analysis -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +### Investigating Enumerating Domain Trusts via DSQUERY.EXE + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", @@ -32,7 +59,7 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 691e90ce8..322aedf8f 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/27" [rule] author = ["Elastic"] @@ -24,9 +24,36 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*" language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" -note = """## Setup +note = """## Triage and analysis -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +### Investigating Enumerating Domain Trusts via NLTEST.EXE + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", @@ -35,7 +62,7 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 0b7449ebf..fc16b4a71 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -109,9 +109,8 @@ event.category:process and host.os.type:windows and LsaEnumerateTrustedDomains or NetScheduleJobEnum or NetUserModalsGet - ) and not - (user.id:("S-1-5-18" or "S-1-5-19") and - file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection") + ) + and not user.id : ("S-1-5-18" or "S-1-5-19") ''' diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 465621373..c80403035 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/17" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -53,8 +53,7 @@ event.category:process and host.os.type:windows and "Add-RemoteConnection" or "Add-ServiceDacl" or "Add-Win32Type" or "Convert-ADName" or "Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or - "ConvertFrom-SID" or "ConvertFrom-UACValue" or - "ConvertTo-SID" or "Copy-ArrayOfMemAddresses" or + "ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or "Create-NamedPipe" or "Create-ProcessWithToken" or "Create-RemoteThread" or "Create-SuspendedWinLogon" or "Create-WinLogonProcess" or "Emit-CallThreadStub" or @@ -70,7 +69,7 @@ event.category:process and host.os.type:windows and "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or - "Get-DelegateType" or "Get-DomainController" or + "Get-DelegateType" or "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or "Get-DomainDNSZone" or "Get-DomainFileServer" or @@ -94,7 +93,7 @@ event.category:process and host.os.type:windows and "Get-GPPInnerFields" or "Get-GPPPassword" or "Get-GptTmpl" or "Get-GroupsXML" or "Get-HttpStatus" or "Get-ImageNtHeaders" or - "Get-IniContent" or "Get-Keystrokes" or + "Get-Keystrokes" or "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or @@ -105,9 +104,8 @@ event.category:process and host.os.type:windows and "Get-NetShare" or "Get-PEArchitecture" or "Get-PEBasicInfo" or "Get-PEDetailedInfo" or "Get-PathAcl" or "Get-PrimaryToken" or - "Get-PrincipalContext" or "Get-ProcAddress" or - "Get-ProcessTokenGroup" or "Get-ProcessTokenPrivilege" or - "Get-ProcessTokenType" or "Get-Property" or + "Get-ProcAddress" or "Get-ProcessTokenGroup" or + "Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or "Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or "Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or "Get-Screenshot" or "Get-ServiceDetail" or @@ -140,7 +138,7 @@ event.category:process and host.os.type:windows and "Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or "New-ADObjectAccessControlEntry" or "New-DomainGroup" or "New-DomainUser" or "New-DynamicParameter" or - "New-InMemoryModule" or "New-ScriptBlockCallback" or + "New-InMemoryModule" or "New-ThreadedFunction" or "New-VolumeShadowCopy" or "Out-CompressedDll" or "Out-EncodedCommand" or "Out-EncryptedScript" or "Out-Minidump" or @@ -161,7 +159,74 @@ event.category:process and host.os.type:windows and "Invoke-HostEnum" or "Get-BrowserInformation" or "Get-DomainAccountPolicy" or "Get-DomainAdmins" or "Get-AVProcesses" or "Get-AVInfo" or - "Get-RecycleBin" + "Get-RecycleBin" or "Invoke-BruteForce" or + "Get-PassHints" or "Invoke-SessionGopher" or + "Get-LSASecret" or "Get-PassHashes" or + "Invoke-WdigestDowngrade" or "Get-ChromeDump" or + "Invoke-DomainPasswordSpray" or "Get-FoxDump" or + "New-HoneyHash" or "Invoke-DCSync" or + "Invoke-PowerDump" or "Invoke-SSIDExfil" or + "Invoke-PowerShellTCP" or "Add-Exfiltration" or + "Do-Exfiltration" or "Invoke-DropboxUpload" or + "Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or + "Invoke-PostExfil" or "Create-MultipleSessions" or + "Invoke-NetworkRelay" or "New-GPOImmediateTask" or + "Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or + "Invoke-SMBExec" or "Invoke-PSRemoting" or + "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or + "Invoke-InveighRelay" or "Invoke-PsExec" or + "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or + "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or + "Remove-Persistence" or "DNS_TXT_Pwnage" or + "Execute-OnTime" or "HTTP-Backdoor" or + "Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or + "Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or + "Invoke-ADSBackdoor" or "Add-Persistence" or + "Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or + "Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or + "Invoke-AccessBinary" or "Add-NetUser" or + "Invoke-Schtasks" or "Invoke-JSRatRegsvr" or + "Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or + "Invoke-PsGcatAgent" or "Remove-PoshRat" or + "Install-SSP" or "Invoke-BackdoorLNK" or + "PowerBreach" or "InstallEXE-Persistence" or + "RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or + "Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or + "Invoke-PacketCapture" or "Start-WebcamRecorder" or + "Get-USBKeyStrokes" or "Invoke-KeeThief" or + "Get-Keystrokes" or "Invoke-NetRipper" or + "Get-EmailItems" or "Invoke-MailSearch" or + "Invoke-SearchGAL" or "Get-WebCredentials" or + "Start-CaptureServer" or "Invoke-PowerShellIcmp" or + "Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or + "Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or + "Run-EXEonRemote" or "Download-Execute-PS" or + "Out-RundllCommand" or "Set-RemoteWMI" or + "Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or + "Invoke-Vnc" or "Invoke-LockWorkStation" or + "Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or + "Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or + "Invoke-RunAs" or "ExetoText" or + "Disable-SecuritySettings" or "Set-MacAttribute" or + "Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or + "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or + "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or + "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or + "Get-ServicePermission" or "Get-ServicePermission" or + "Enable-DuplicateToken" or "Invoke-PsUaCme" or + "Invoke-Tater" or "Invoke-WScriptBypassUAC" or + "Invoke-AllChecks" or "Find-TrustedDocuments" or + "Invoke-Interceptor" or "Invoke-PoshRatHttp" or + "Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or + "Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or + "Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or + "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or + "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or + "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" + ) + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" ) ''' diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 6e3857ef8..fd2f5b7eb 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/29" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" @@ -59,28 +59,6 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` - -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" @@ -90,64 +68,36 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "windows" and (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and - (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or - file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and - -/* add false positives relevant to your environment here */ -not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe") and -not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and - not process.name : +library where host.os.type == "windows" and + dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and + not ( - "Altaro.SubAgent.exe", - "AppV_Manage.exe", - "azureadconnect.exe", - "CcmExec.exe", - "configsyncrun.exe", - "choco.exe", - "ctxappvservice.exe", - "DVLS.Console.exe", - "edgetransport.exe", - "exsetup.exe", - "forefrontactivedirectoryconnector.exe", - "InstallUtil.exe", - "JenkinsOnDesktop.exe", - "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe", - "mmc.exe", - "mscorsvw.exe", - "msexchangedelivery.exe", - "msexchangefrontendtransport.exe", - "msexchangehmworker.exe", - "msexchangesubmission.exe", - "msiexec.exe", - "MsiExec.exe", - "noderunner.exe", - "NServiceBus.Host.exe", - "NServiceBus.Host32.exe", - "NServiceBus.Hosting.Azure.HostProcess.exe", - "OuiGui.WPF.exe", - "powershell.exe", - "powershell_ise.exe", - "pwsh.exe", - "SCCMCliCtrWPF.exe", - "ScriptEditor.exe", - "ScriptRunner.exe", - "sdiagnhost.exe", - "servermanager.exe", - "setup100.exe", - "ServiceHub.VSDetouredHost.exe", - "SPCAF.Client.exe", - "SPCAF.SettingsEditor.exe", - "SQLPS.exe", - "Ssms.exe", - "telemetryservice.exe", - "UMWorkerProcess.exe", - "w3wp.exe", - "wsmprovhost.exe" + /* MS Signed Binaries */ + ( + process.code_signature.subject_name : ( + "Microsoft Windows", + "Microsoft Dynamic Code Publisher", + "Microsoft Corporation" + ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe") + ) or + + /* Signed Executables from the Program Files folder */ + ( + process.executable : ( + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe" + ) and process.code_signature.trusted == true + ) or + + /* Lenovo */ + ( + process.executable : ( + "?:\\Windows\\Lenovo\\*.exe" + ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml new file mode 100644 index 000000000..a6169681a --- /dev/null +++ b/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml @@ -0,0 +1,73 @@ +[metadata] +creation_date = "2023/03/16" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2023/06/29" + +[rule] +author = ["Elastic"] +description = """ +Identifies newly seen removable devices by device friendly name using registry modification events. While this activity +is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Time Seen Removable Device" +risk_score = 21 +rule_id = "0859355c-0f08-4b43-8ff5-7d2a4789fc08" +severity = "low" +references = [ +"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", +"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" +] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1052" +name = "Exfiltration Over Physical Medium" +reference = "https://attack.mitre.org/techniques/T1052/" + + [[rule.threat.technique.subtechnique]] + id = "T1052.001" + name = "Exfiltration over USB" + reference = "https://attack.mitre.org/techniques/T1052/001/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["registry.path"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index ea19be8e8..765db0a9c 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -32,9 +32,9 @@ type = "eql" query = ''' sequence by host.id with maxspan=30s [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and - destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1" - ] - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "winrshost.exe" and not process.name : "conhost.exe"] + destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index b702779fa..ee7c372a2 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/30" [rule] author = ["Elastic"] @@ -37,7 +37,8 @@ sequence by host.id with maxspan = 2s [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and not process.args : ("C:\\windows\\temp\\nessus_*.txt", "*C:\\windows\\TEMP\\nessus_*.TMP*", - "C:\\Windows\\CCM\\SystemTemp\\*", + "*C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCM\\ccmrepair.exe", "C:\\Windows\\CCMCache\\*", "C:\\CCM\\Cache\\*") ] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index 6384e3be3..e9689c083 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -36,7 +36,8 @@ query = ''' sequence by host.id with maxspan = 30s [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 790fe7ba6..6f5722345 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -65,14 +65,16 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where host.os.type == "windows" and event.type in ("creation", "change") and - registry.path : ( - "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections", - "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" - ) and +registry where host.os.type == "windows" and + event.type in ("creation", "change") and + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and registry.data.strings : ("0", "0x00000000") and - not (process.name : "svchost.exe" and user.domain == "NT AUTHORITY") and - not process.executable : "C:\\Windows\\System32\\SystemPropertiesRemote.exe" + not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", + "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\WinSxS\\*\\TiWorker.exe", + "?:\\Windows\\system32\\svchost.exe") ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 6026388a1..7e649e51f 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -112,10 +112,10 @@ sequence with maxspan=1s network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "services.exe" and - not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and - not (process.name : "msiexec.exe" and process.args : "/V") and + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "services.exe" and + not (process.executable : "?:\\Windows\\System32\\svchost.exe" and process.args : "tiledatamodelsvc") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and not process.executable : ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", "?:\\Windows\\System32\\VSSVC.exe", diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index e96785744..a2b566ef3 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -6,6 +6,7 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/06/22" + [rule] author = ["Elastic"] description = """ @@ -20,9 +21,9 @@ language = "eql" license = "Elastic License v2" name = "A scheduled task was updated" references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"] -risk_score = 21 +risk_score = 47 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb" -severity = "low" +severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" @@ -31,13 +32,22 @@ query = ''' iam where event.action == "scheduled-task-updated" and /* excluding tasks created by the computer account */ - not user.name : "*$" and + not user.name : "*$" and + not winlog.event_data.TaskName : "*Microsoft*" and not winlog.event_data.TaskName : ("\\User_Feed_Synchronization-*", "\\OneDrive Reporting Task-S-1-5-21*", "\\OneDrive Reporting Task-S-1-12-1-*", "\\Hewlett-Packard\\HP Web Products Detection", - "\\Hewlett-Packard\\HPDeviceCheck") + "\\Hewlett-Packard\\HPDeviceCheck", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant", + "\\IpamDnsProvisioning", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun", + "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*", + "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and + not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") ''' diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 754a38f26..7b442a332 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -100,8 +100,13 @@ any where host.os.type == "windows" and (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", - "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") - and not file.code_signature.status == "Valid") + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and + not file.path : ("?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll") and + not file.hash.sha256 : + ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", + "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", + "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and + not file.code_signature.status == "Valid") ) ''' diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 6028f33f2..e86397efb 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/05" [rule] author = ["Elastic"] @@ -76,6 +76,9 @@ event.category:process and host.os.type:windows and ) and not (user.id:("S-1-5-18" or "S-1-5-19") and file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads") + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) ''' diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml new file mode 100644 index 000000000..62ee9f344 --- /dev/null +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for +exfiltration. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Compression DLL Loaded by Unusual Process" +risk_score = 21 +rule_id = "d197478e-39f0-4347-a22f-ba654718b148" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Endgame", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +library where + dll.name : ("System.IO.Compression.FileSystem.ni.dll", "System.IO.Compression.ni.dll") and + + /* FP Patterns */ + not process.executable : + ("?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe", + "?:\\Windows\\System32\\sdiagnhost.exe") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml new file mode 100644 index 000000000..c7284e082 --- /dev/null +++ b/rules_building_block/collection_posh_compression.toml @@ -0,0 +1,99 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and +encrypt data in preparation for exfiltration. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Script with Archive Compression Capabilities" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +risk_score = 21 +rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.category:process and host.os.type:windows and +( + powershell.file.script_block_text : ( + "IO.Compression.ZipFile" or + "IO.Compression.ZipArchive" or + "ZipFile.CreateFromDirectory" or + "IO.Compression.BrotliStream" or + "IO.Compression.DeflateStream" or + "IO.Compression.GZipStream" or + "IO.Compression.ZLibStream" + ) and + powershell.file.script_block_text : ( + "CompressionLevel" or + "CompressionMode" or + "ZipArchiveMode" + ) or + powershell.file.script_block_text : "Compress-Archive" +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml new file mode 100644 index 000000000..71395d383 --- /dev/null +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2023/07/10" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/10" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. +For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. +Adversaries may make changes to the standard port a protocol uses to bypass filtering or +muddle analysis/parsing of network data. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Non-Standard Port HTTP/HTTPS connection" +risk_score = 21 +rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +network where process.name : ("http", "https") + and destination.port not in (80, 443) + and event.action in ("connection_attempted", "connection_accepted") + and destination.ip != "127.0.0.1" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" +[[rule.threat.technique.subtechnique]] +id = "T1573.001" +name = "Symmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/001/" +[[rule.threat.technique.subtechnique]] +id = "T1573.001" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules_building_block/defense_evasion_masquerading_communication_apps.toml new file mode 100644 index 000000000..3dfa116d3 --- /dev/null +++ b/rules_building_block/defense_evasion_masquerading_communication_apps.toml @@ -0,0 +1,88 @@ +[metadata] +creation_date = "2023/05/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/30" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to +conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Masquerading as Communication Apps" +risk_score = 21 +rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and + event.type == "start" and + ( + /* Slack */ + (process.name : "slack.exe" and not + (process.code_signature.subject_name : "Slack Technologies, Inc." and process.code_signature.trusted == true) + ) or + + /* WebEx */ + (process.name : "WebexHost.exe" and not + (process.code_signature.subject_name : ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true) + ) or + + /* Teams */ + (process.name : "Teams.exe" and not + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Discord */ + (process.name : "Discord.exe" and not + (process.code_signature.subject_name : "Discord Inc." and process.code_signature.trusted == true) + ) or + + /* RocketChat */ + (process.name : "Rocket.Chat.exe" and not + (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) + ) or + + /* Mattermost */ + (process.name : "Mattermost.exe" and not + (process.code_signature.subject_name : "Mattermost, Inc." and process.code_signature.trusted == true) + ) or + + /* WhatsApp */ + (process.name : "WhatsApp.exe" and not + (process.code_signature.subject_name : "WhatsApp LLC" and process.code_signature.trusted == true) + ) or + + /* Zoom */ + (process.name : "Zoom.exe" and not + (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/defense_evasion_powershell_clear_logs_script.toml b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml new file mode 100644 index 000000000..a14ffedf1 --- /dev/null +++ b/rules_building_block/defense_evasion_powershell_clear_logs_script.toml @@ -0,0 +1,95 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by +attackers in an attempt to evade detection or destroy forensic evidence on a system. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Script with Log Clear Capabilities" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" +] +risk_score = 21 +rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Clear-EventLog" or + "Remove-EventLog" or + ("Eventing.Reader.EventLogSession" and ".ClearLog") or + ("Diagnostics.EventLog" and ".Clear") + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.001" +name = "Clear Windows Event Logs" +reference = "https://attack.mitre.org/techniques/T1070/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml new file mode 100644 index 000000000..361bbae9f --- /dev/null +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2023/07/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/11" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Identifies the use of built-in tools to read the contents of \\etc\\hosts on a local machine. Attackers may use this data +to discover remote machines in an environment that may be used for Lateral Movement from the current system. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "System Hosts File Access" +risk_score = 21 +rule_id = "f75f65cf-ed04-48df-a7ff-b02a8bfe636e" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and event.action == "exec" and + (process.name:("vi", "nano", "cat", "more", "less") and process.args : "/etc/hosts") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_linux_system_information_discovery.toml b/rules_building_block/discovery_linux_system_information_discovery.toml new file mode 100644 index 000000000..11c644037 --- /dev/null +++ b/rules_building_block/discovery_linux_system_information_discovery.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2023/07/10" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/10" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = "Enrich process events with uname and other command lines that imply Linux system information discovery." +from = "now-119m" +interval = "60m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Linux System Information Discovery" +risk_score = 21 +rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and +( + process.name: "uname" or + (process.name: ("cat", "more", "less") and + process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*")) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_linux_system_owner_user_discovery.toml b/rules_building_block/discovery_linux_system_owner_user_discovery.toml new file mode 100644 index 000000000..02dec413a --- /dev/null +++ b/rules_building_block/discovery_linux_system_owner_user_discovery.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/07/10" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/10" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system." +from = "now-119m" +interval = "60m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "System Owner/User Discovery Linux" +risk_score = 21 +rule_id = "bf8c007c-7dee-4842-8e9a-ee534c09d205" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and + process.name : ("whoami", "w", "who", "users", "id") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml new file mode 100644 index 000000000..2aa35a66b --- /dev/null +++ b/rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml @@ -0,0 +1,71 @@ +[metadata] +creation_date = "2023/07/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/11" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Account or Group Discovery via Built-In Tools" +risk_score = 21 +rule_id = "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type== "start" and event.action == "exec" and + ( (process.name: ("groups","id")) + or (process.name : "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + or (process.name: "dscacheutil" and process.args:("user", "group")) + or process.args:("/etc/passwd", "/etc/master.passwd", "/etc/sudoers") + or (process.name: "getent" and process.args:("passwd", "group")) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml new file mode 100644 index 000000000..054dfaf7a --- /dev/null +++ b/rules_building_block/discovery_posh_generic.toml @@ -0,0 +1,244 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various +situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Script with Discovery Capabilities" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +risk_score = 21 +rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + ( + ("Get-ItemProperty" or "Get-Item") and "-Path" + ) or + ( + "Get-ADDefaultDomainPasswordPolicy" or + "Get-ADDomain" or "Get-ComputerInfo" or + "Get-Disk" or "Get-DnsClientCache" or + "Get-GPOReport" or "Get-HotFix" or + "Get-LocalUser" or "Get-NetFirewallProfile" or + "get-nettcpconnection" or "Get-NetAdapter" or + "Get-PhysicalDisk" or "Get-Process" or + "Get-PSDrive" or "Get-Service" or + "Get-SmbShare" or "Get-WinEvent" + ) or + ( + ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or + "gcim" or "Management.ManagementObjectSearcher" or + "System.Management.ManagementClass" or + "[WmiClass]" or "[WMI]") and + ( + "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or + "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or + "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or + "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or + "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or + "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or + "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or + "win32_service" or "Win32_Share" or "Win32_UserAccount" + ) + ) or + ( + ("ADSI" and "WinNT") or + ("Get-ChildItem" and "sysmondrv.sys") or + ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or + ("ServiceProcess.ServiceController" and "::GetServices") or + ("Diagnostics.Process" and "::GetProcesses") or + ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or + ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or + ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or + ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or + ("Automation.PSDriveInfo") or + ("Microsoft.Win32.RegistryHive") + ) or + ( + "Get-ItemProperty" and + ( + "\Control\SecurityProviders\WDigest" or + "\microsoft\windows\currentversion\explorer\runmru" or + "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or + "\Microsoft\Windows\CurrentVersion\Uninstall" or + "\Microsoft\Windows\WindowsUpdate" or + "Policies\Microsoft\Windows\Installer" or + "Software\Microsoft\Windows\CurrentVersion\Policies" or + ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or + ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable") + ) + ) or + ( + ("Directoryservices.Activedirectory" or + "DirectoryServices.AccountManagement") and + ( + "Domain Admins" or "DomainControllers" or + "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or + "GetCurrentDomain" or "GetCurrentForest" + ) or + "DirectoryServices.DirectorySearcher" and + ( + "samAccountType=805306368" or + "samAccountType=805306369" or + "objectCategory=group" or + "objectCategory=groupPolicyContainer" or + "objectCategory=site" or + "objectCategory=subnet" or + "objectClass=trustedDomain" + ) + ) or + ( + "Get-Process" and + ( + "mcshield" or "windefend" or "savservice" or + "TMCCSF" or "symantec antivirus" or + "CSFalcon" or "TmPfw" or "kvoop" + ) + ) + ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") + and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" + +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" + +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + +[[rule.threat.technique.subtechnique]] +id = "T1518.001" +name = "Security Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/001/" + +[[rule.threat.technique]] +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/discovery_process_discovery_via_builtin_tools.toml b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml new file mode 100644 index 000000000..d78e68709 --- /dev/null +++ b/rules_building_block/discovery_process_discovery_via_builtin_tools.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2023/07/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/11" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint." +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Process Discovery via Built-In Applications" +risk_score = 21 +rule_id = "3f4d7734-2151-4481-b394-09d7c6c91f75" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and event.action == "exec" and + process.name :("ps", "pstree", "htop", "pgrep") and + not (event.action == "exec" and process.parent.name in ("amazon-ssm-agent", "snap")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique.subtechnique]] +id = "T1518.001" +name = "Security Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/001/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml new file mode 100644 index 000000000..cbf2ca34e --- /dev/null +++ b/rules_building_block/discovery_system_network_connections.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2023/07/11" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/11" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "System Network Connections Discovery" +risk_score = 21 +rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where event.type == "start" and + process.name : ("netstat", "lsof", "who", "w") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml new file mode 100644 index 000000000..cd087726f --- /dev/null +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2023/07/06" +integration = ["windows", "endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/06" + +[rule] +author = ["Elastic"] +description = """ +Detects the execution of commands used to discover information about the system, which attackers may use after +compromising a system to gain situational awareness. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Windows System Information Discovery" +risk_score = 21 +rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and +( + ( + process.name : "cmd.exe" and process.args : "ver*" and not + process.parent.executable : ( + "?:\\Users\\*\\AppData\\Local\\Keybase\\upd.exe", + "?:\\Users\\*\\python*.exe" + ) + ) or + process.name : ("systeminfo.exe", "hostname.exe") or + (process.name : "wmic.exe" and process.args : "os" and process.args : "get") +) and not +process.parent.executable : ( + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\ProgramData\\*" +) and not user.id : "S-1-5-18" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/initial_access_cross_site_scripting.toml b/rules_building_block/initial_access_cross_site_scripting.toml new file mode 100644 index 000000000..318d16160 --- /dev/null +++ b/rules_building_block/initial_access_cross_site_scripting.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["apm"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. +In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a +browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. +""" +from = "now-119m" +interval = "60m" +index = ["apm-*-transaction*", "traces-apm*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Cross Site Scripting (XSS)" +references = ["https://github.com/payloadbox/xss-payload-list"] +risk_score = 21 +rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" +severity = "low" +tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +any where processor.name == "transaction" and +url.fragment : ("", "", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*", +"*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index c16523a22..12f6d03ba 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -485,14 +485,23 @@ class TestRuleFiles(BaseRuleTest): def test_bbr_in_correct_dir(self): """Ensure that BBR are in the correct directory.""" for rule in self.bbr: + # Is the rule a BBR + self.assertEqual(rule.contents.data.building_block_type, 'default', + f'{self.rule_str(rule)} should have building_block_type = "default"') + + # Is the rule in the rules_building_block directory self.assertEqual(rule.path.parent.name, 'rules_building_block', f'{self.rule_str(rule)} should be in the rules_building_block directory') def test_non_bbr_in_correct_dir(self): """Ensure that non-BBR are not in BBR directory.""" + proper_directory = 'rules_building_block' for rule in self.all_rules: if rule.path.parent.name == 'rules_building_block': - self.assertIn(rule, self.bbr, f'{self.rule_str(rule)} should be in the rules_building_block directory') + self.assertIn(rule, self.bbr, f'{self.rule_str(rule)} should be in the {proper_directory}') + # Is the rule of type BBR + self.assertEqual(rule.contents.data.building_block_type, None, + f'{self.rule_str(rule)} should not have building_block_type or be in {proper_directory}') class TestRuleMetadata(BaseRuleTest):