Terrance DeJesus
b28338c680
* adjusted Potential Widespread Malware Infection Across Multiple Hosts * adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source * adjusted AWS EC2 Multi-Region DescribeInstances API Calls * adjusted AWS Discovery API Calls via CLI from a Single Resource * adjusted AWS Service Quotas Multi-Region Requests * adjusted AWS EC2 EBS Snapshot Shared or Made Public * adjusted AWS S3 Bucket Enumeration or Brute Force * adjusted AWS EC2 EBS Snapshot Access Removed * adjusted Potential AWS S3 Bucket Ransomware Note Uploaded * adjusted AWS S3 Object Encryption Using External KMS Key * adjusted AWS S3 Static Site JavaScript File Uploaded * adjusted AWS Access Token Used from Multiple Addresses * adjusted AWS Signin Single Factor Console Login with Federated User * adjusted AWS IAM AdministratorAccess Policy Attached to Group * adjusted AWS IAM AdministratorAccess Policy Attached to Role * adjusted AWS IAM AdministratorAccess Policy Attached to User * adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request * adjusted Unusual High Confidence Content Filter Blocks Detected * adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes * AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User * Unusual High Denied Sensitive Information Policy Blocks Detected * adjusted Unusual High Denied Topic Blocks Detected * adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User * adjusted Unusual High Word Policy Blocks Detected * adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties * adjusted Azure Entra MFA TOTP Brute Force Attempts * adjusted Microsoft Entra ID Sign-In Brute Force Activity * adjusted Microsoft Entra ID Exccessive Account Lockouts Detected * adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins * deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source * adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access * adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS * adjusted Potential Denial of Azure OpenAI ML Service * adjusted Azure OpenAI Insecure Output Handling * adjusted Potential Azure OpenAI Model Theft * adjusted M365 OneDrive Excessive File Downloads with OAuth Token * adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window * adjusted Potential Microsoft 365 User Account Brute Force * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted Multiple Device Token Hashes for Single Okta Session * adjusted Multiple Okta User Authentication Events with Client Address * adjusted Multiple Okta User Authentication Events with Same Device Token Hash * adjusted High Number of Okta Device Token Cookies Generated for Authentication * adjusted Okta User Sessions Started from Different Geolocations * adjusted High Number of Egress Network Connections from Unusual Executable * adjusted Unusual Base64 Encoding/Decoding Activity * adjusted Potential Port Scanning Activity from Compromised Host * adjusted Potential Subnet Scanning Activity from Compromised Host * adjusted Unusual File Transfer Utility Launched * adjusted Potential Malware-Driven SSH Brute Force Attempt * adjusted Unusual Process Spawned from Web Server Parent * adjusted Unusual Command Execution from Web Server Parent * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Unusual File Creation by Web Server * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential Malicious PowerShell Based on Alert Correlation * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Potential PowerShell Obfuscation via String Concatenation * adjusted Potential PowerShell Obfuscation via Reverse Keywords * adjusted PowerShell Obfuscation via Negative Index String Reversal * adjusted Dynamic IEX Reconstruction via Method String Access * adjusted Potential Dynamic IEX Reconstruction via Environment Variables * adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion * adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential PowerShell Obfuscation via Special Character Overuse * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted fields that were inconsistent * adjusted additional fields * adjusted esql to Esql * adjusted several rules for common field names * updating rules * updated dates * updated dates * updated ESQL fields * lowercase all functions and logical operators * adjusted dates for unit tests * Update Esql_priv to Esql_temp as these don't hold PII * PowerShell adjustments * Make query comments consistent * update comment * reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed * Update rules/windows/discovery_command_system_account.toml * removed dot notation --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
93 lines
6.0 KiB
TOML
93 lines
6.0 KiB
TOML
[metadata]
|
|
creation_date = "2024/05/08"
|
|
maturity = "production"
|
|
updated_date = "2025/07/16"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to
|
|
prioritize triage and response, as this can potentially indicate a widespread malware infection.
|
|
"""
|
|
from = "now-9m"
|
|
language = "esql"
|
|
license = "Elastic License v2"
|
|
name = "Potential Widespread Malware Infection Across Multiple Hosts"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Potential Widespread Malware Infection Across Multiple Hosts
|
|
|
|
Endpoint security technologies monitor and analyze activities on devices to detect malicious behavior. Adversaries exploit these systems by deploying malware that triggers specific signatures across multiple hosts, indicating a coordinated attack. The detection rule identifies such threats by analyzing alert data for specific malware signatures across several hosts, flagging potential widespread infections for prioritized investigation.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the alert details to identify the specific rule.name and event.code that triggered the alert, focusing on those with a high count of distinct host.id values.
|
|
- Correlate the identified rule.name with known malware signatures or recent threat intelligence reports to understand the potential impact and behavior of the malware.
|
|
- Examine the affected host.id entries to determine if there are any commonalities, such as shared network segments, user accounts, or software versions, that could indicate the initial infection vector.
|
|
- Investigate the timeline of events for each affected host to identify any suspicious activities or anomalies preceding the alert, such as unusual file downloads or execution of unknown processes.
|
|
- Check for any additional alerts or logs related to the same host.id entries to assess if there are other indicators of compromise or related malicious activities.
|
|
- Coordinate with IT and security teams to isolate affected hosts if necessary, and initiate containment and remediation procedures based on the findings.
|
|
|
|
### False positive analysis
|
|
|
|
- Legitimate software updates or installations may trigger malware signatures, especially if they involve new or uncommon software. Users can create exceptions for known software update processes to prevent these alerts from being flagged as potential threats.
|
|
- Security testing tools or penetration testing activities might mimic malware behavior, leading to false positives. Analysts should coordinate with IT and security teams to whitelist these activities during scheduled tests.
|
|
- Custom scripts or administrative tools that perform automated tasks across multiple hosts can be mistaken for malicious activity. Identifying and excluding these scripts from the rule can reduce unnecessary alerts.
|
|
- Frequent use of remote management tools that execute scripts or commands on multiple hosts may trigger alerts. Users should ensure these tools are recognized and excluded from the rule to avoid false positives.
|
|
- Known benign applications that use shellcode or memory manipulation techniques for legitimate purposes should be reviewed and added to an exception list to prevent them from being flagged.
|
|
|
|
### Response and remediation
|
|
|
|
- Isolate affected hosts immediately to prevent further spread of the malware across the network. This can be done by disconnecting them from the network or using network segmentation techniques.
|
|
- Conduct a thorough scan of the isolated hosts using updated antivirus or endpoint detection and response (EDR) tools to identify and remove the malicious files or processes associated with the detected signatures.
|
|
- Analyze the identified malware to understand its behavior and entry points. This will help in determining if additional hosts may be compromised and require similar remediation actions.
|
|
- Apply security patches and updates to all affected systems to close any vulnerabilities that the malware may have exploited.
|
|
- Restore affected systems from clean backups if the malware has caused significant damage or if the integrity of the system cannot be assured after cleaning.
|
|
- Monitor network traffic and endpoint activities closely for any signs of persistence or re-infection, using enhanced detection rules and updated threat intelligence feeds.
|
|
- Escalate the incident to the appropriate internal or external cybersecurity teams if the infection appears to be part of a larger coordinated attack, ensuring that all relevant data and findings are shared for further investigation and response."""
|
|
references = ["https://github.com/elastic/protections-artifacts/tree/main/yara/rules"]
|
|
risk_score = 73
|
|
rule_id = "28371aa1-14ed-46cf-ab5b-2fc7d1942278"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"Data Source: Elastic Defend",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Rule Type: Higher-Order Rule",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "esql"
|
|
|
|
query = '''
|
|
from logs-endpoint.alerts-*
|
|
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
|
|
| keep host.id, rule.name, event.code
|
|
| stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
|
|
| where Esql.host_id_count_distinct >= 3
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1204"
|
|
name = "User Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1204/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1204.002"
|
|
name = "Malicious File"
|
|
reference = "https://attack.mitre.org/techniques/T1204/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|