Terrance DeJesus
1c10c37468
* updated timestamp override unit test; fixed rules missing this field * fixed flake error * simplified and consolidated logic * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * added comments * updated logic; added comments; removed unused variables * removed custom python script * updated dates * removed deprecated rule change * updated dates --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
74 lines
3.1 KiB
TOML
74 lines
3.1 KiB
TOML
[metadata]
|
|
creation_date = "2023/09/22"
|
|
integration = ["beaconing", "endpoint", "network_traffic"]
|
|
maturity = "production"
|
|
min_stack_comments = "Beaconing package updates and support"
|
|
min_stack_version = "8.10.1"
|
|
updated_date = "2024/01/05"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain
|
|
stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain
|
|
persistence in a network.
|
|
"""
|
|
from = "now-1h"
|
|
index = ["ml_beaconing.all"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Statistical Model Detected C2 Beaconing Activity"
|
|
setup = """
|
|
The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.
|
|
|
|
### Network Beaconing Identification Setup
|
|
The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.
|
|
|
|
#### Prerequisite Requirements:
|
|
- Fleet is required for Network Beaconing Identification.
|
|
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
|
- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
|
|
- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
|
- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
|
|
|
|
#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:
|
|
- Go to the Kibana homepage. Under Management, click Integrations.
|
|
- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.
|
|
- Under Settings, click "Install Network Beaconing Identification assets" and follow the prompts to install the assets.
|
|
"""
|
|
references = [
|
|
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
|
"https://docs.elastic.co/en/integrations/beaconing",
|
|
"https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6"
|
|
severity = "low"
|
|
tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"]
|
|
type = "query"
|
|
timestamp_override = "event.ingested"
|
|
|
|
query = '''
|
|
beacon_stats.is_beaconing: true
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1102"
|
|
name = "Web Service"
|
|
reference = "https://attack.mitre.org/techniques/T1102/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1102.002"
|
|
name = "Bidirectional Communication"
|
|
reference = "https://attack.mitre.org/techniques/T1102/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0011"
|
|
name = "Command and Control"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|
|
|